|  | ||||||||||||||||||||||||||||||||
Name: W32/CodeRed.f.worm
Aliases: CodeRed.F,CODERED.F,CodeRed,CodeRed.F,Win32.CodeRed.F Variants: Type: Internet Worm Platforms: Windows NT/2000, Microsoft IIS Status: in the wild Threat: V-CON 2 (low) The following has been derived from information provided by NAI, Symantec and Trend Micro. Virus Characteristics This variant is nearly identical to W32/CodeRed.c.worm. W32/CodeRed.f.worm has a different trigger date. CODERED.C runs if the year is less than 2002, this variant runs if the year is less than 34952. The worm scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 web servers and uses a buffer overflow vulnerability to infect remote machines. The worm injects itself directly into memory, rather than copying itself over as a file on the system. W32/CodeRed.f.worm drops a backdoor trojan which it saves to c:\explorer.exe and d:\explorer.exe. This exploits the "Relative Shell Path" Vulnerability, which states that Windows will run c:\explorer.exe before %windir%\explorer.exe. So, the trojan can be run where EXPLORER.EXE is called. The trojan does nothing more than write certain values to the registry every 10 minutes. It is these registry values that opens a security hole in the system. On the next reboot, the trojan carries out its payload and then calls the original explorer.exe. The trojan adds a value to the following registry key, to disable local file system security: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\SFCDisable Two values are added to the following key to enable a remote attacker to have access to the C: and D: drives, via a web browser: HKLM\SYSTEM\CurrentControlSet\Services\ W3SVC\Parameters\Virtual Roots. Also under this key, the /SCRIPT and /MSADC values are configured to allow read/write access to the paths associated with these values. These changes allow a remote attacker to carry out shell function on the local system by sending commands to it via a URL. If running the Microsoft IIS Server we highly recommend applying the latest Microsoft patch: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp. A cumulative patch for IIS that includes the four patches released to date is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp. The following Microsoft security patch will address the "Relative Shell Path" Vunerability and stop the trojan from reinfecting the computer. http://www.microsoft.com/technet/security/bulletin/MS00-052.asp Payload Installs a backdoor trojan on the web server allowing remote execution/access Preventative Measures Install the latest patch from Microsoft for the IIS Server: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp. Cumulative patch for IIS (includes four patches released to date): http://www.microsoft.com/technet/security/bulletin/MS01-044.asp. Apply the Microsoft Security patch for the "Relative Shell Path" Vunerability: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp Fixes Available Network Associates: Minimum DAT: 4152 Release Date: 08/06/2001 Minimum Engine: 4.1.60 Symantec: Virus Definitions (Intelligent Updater): August 05, 2001 Virus Definitions (LiveUpdate): August 05, 2001 Trend: No information at time of alert < - Virus Information Index - >
| | |||||||||||||||||||||||||
