FRISK Software International

Summary of W32/Code Red
Discovered: 7 Aug 2001
Definition files: 7 Aug 2001
Jump to:
Brief description

Brief Description

As has been previously noted the Code Red worm computer bug has been creating great havoc among computer users around the globe. The worm was first detected a little more than two weeks ago. It is named after a cola drink from Pepsi.

The Code Red worm responds to the computer's date. The average computer user should not need to have any great concerns since Code Red does not affect the 95, 98, or ME versions of Windows. System administrators and webmasters should on the other hand have their eyes open for possible security risks.

Between the 1st and 20th of each month Code Red proliferates rapidly and spreads itself to other computers. Code Red uses the days from and including the 20th to 27th of each month to attack the White House's official website.

Code Red has by now become widespread and infected in a short period of time around 250 thousand web servers. The worm uses a security flaw in Microsoft's IIS web server (versions 4.0 and 5.0) to attack other computers running the IIS web server. The worm multiplies by randomly picking 100 IP addresses and tries to attack the computers using those IP addresses. If those computers are running an IIS web server that has not been updated the worm spreads on. The worm can thus be used by hackers to recognize infected computers that are vulnerable and gain control over them. Code Red also has the effects on certain types of Cisco-routers that they become ineffective from the moment when the worm passes through them until they have been reset.

Code Red is the first worm known not to multiply by copying itself to some files or infecting them but only residing in the computers memory and multiplying by a stream of data between computers.

Anti-virus software is not sufficient in this case to prevent damage caused by the worm. Users of the IIS web server from Microsoft must download a patch for the IIS web server from Microsoft's website:

Windows 2000

Windows NT 4.0

Microsoft urges users to update their IIS web server as soon as possible to prevent Code Red from causing greater damage and also to prevent others with questionable intentions from taking advantage of this security flaw in the future. In all there could be around 6 million web servers in the world facing this danger.

FRISK Software International's Viruslab Team

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)