New Code Red worm variant need not cause panic

March 12, 2003 Sophos Press Release

Code RedA new variant of the infamous Code Red worm is unlikely to cause much havoc, say Sophos experts.

The new worm, a minor variant of Code Red II, relies on a well known flaw in some versions of Microsoft's IIS web server software, but due to the high media profile and concern about earlier versions of Code Red many businesses have already protected themselves.

However, some system administrators may still not have taken appropriate action, despite Microsoft having first issued a patch against the vulnerability in 2001.

"Worms like Code Red not only infect your server, they also generate huge amounts of unnecessary internet traffic," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Having an unpatched server is irresponsible, because you put yourself at risk whilst potentially spreading the worm to others. There is no excuse for sitting back and waiting to become a victim. If you use IIS and you haven't acted already, do so now."

Sophos recommends that users who have not already updated their versions of Microsoft IIS refer to the security bulletin published on Microsoft's website.

System administrators are also advised to consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp. Other vendors offer similar services.

One little known fact about the Code Red worm is that it acquired its name from the "Code Red" cherry flavour of the Mountain Dew soft drink. One of the first researchers to analyse the worm consumed large amounts of the drink whilst examining the worm's code.