W32/CodeRed-II

Category: Viruses and SpywareProtection available since:06 Aug 2001 00:00:00 (GMT)
Type: Win32 wormLast Updated:06 Aug 2001 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/CodeRed-II is a worm capable of exploiting a bug in Microsoft Internet Information Server (IIS) versions 4 and 5. A patch to fix the security hole is available from Microsoft.
It works by exploiting a buffer overflow bug in an HTTP GET packet. From there it runs on the system and attempts to replicate to other machines with the same vulnerability. 1 in 8 times this will be to any random IP addresses, 3 in 8 it will be restricted to class B subnets and 4 in 8 times to class C subnets. The worm drops the file C:\explorer.exe. This will be run automatically the next time someone logs on to the machine. Also, the worm finds the command shell cmd.exe and copies it to the scripts and MSADC directories as root.exe. When run the file C:\explorer.exe first calls the original explorer.exe and then sets the registry entry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Sfcdisable = -99 which disables the System File Cache. It also sets the entries:

HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C = C:\,,217
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D = D:\,,217

It also changes the registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/Scripts
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/MSADC

So that the trailing number becomes 217. For example, C:\inetpub\scripts,,204 becomes C:\inetpub\scripts,,217 These settings make it possible to run t.exe in the relevant directories and issue commands to the remote machine. They also allow any program on drives C: and D: to be executed remotely. The file C:\explorer.exe is detected as Troj/Codered-II.