North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red II

  • From: Stephen J. Wilcox
  • Date: Sun Aug 05 07:38:44 2001

There is a useful document at

which offers an explanation of what CRII does and some useful ways on how
we can stop it eg by filtering at transparent caches etc - worth a read.

Basically the new variant slaps a huge backdoor in infected machines,
heres what I got connecting to one of the hosts that had tried to attack
me with CRII:

# telnet !!! 80
Trying !!!...
Connected to !!!.
Escape character is '^]'.
GET /scripts/root.exe
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 11:42:19 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Verze 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.


Not good! I've copied below some of the details from a UNIRAS message
which gives you an outline of why CRII is nasty:

This variant uses the identifier "CodeRedII" for self-recognition and thus
does not reinfect systems it has already infected. It checks whether
Chinese (either Traditional or Simplified) is the language installed on
the system. If it is Chinese, it creates 600 threads and spreads for
48hours. On a non-Chinese system it creates 300 threads and spreads for 24
hours. After that, it reboots the system. On 12am Oct 1, 2001 GMT it goes
to sleep for good.
The worm tends to probe nearby systems with probability 50% (4/8) - same
Class A net ( 37.5% (3/8) - same Class B subnet (
12.5% (1/8) ^� random.

This variant also creates a backdoor. It tries to copy %windir%\CMD.EXE to
c:\inetpub\scripts\root.exe, c:\progra~1\common~1\system\MSADC\root.exe,
d:\inetpub\scripts\root.exe, and
d:\progra~1\common~1\system\MSADC\root.exe It also tries to create the
file c:\explorer.exe and d:\explorer.exe which it caries within itself.
Explorer.exe trojan: Windows looks for c:\explorer.exe before looking for
%windir%\explorer.exe. On the next reboot, the trojan calls the original
explorer.exe. The trojan adds the value SFCDisable to
SOFTWARE\Microsoft\Windows NT\CurrentVariant\Winlogon and modifies the
keys under SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual
Roots. It then goes to sleep and remodifies the registry keys every 10

An infected system is automatically rebooted 24 hours from infection and
will load the first copy of explorer.exe it comes across - in this case
the modified one in the root directory.  The system then appears to boot
normally but in reality there is now an open door to the outside world to
be exploited as necessary. An old Microsoft vulnerability (notified in
MS00-052) (UNIRAS Briefing Notice - No. E111/00 dated 31.07.00) allows the
system to load the first explorer.exe (or any file for that matter) that
it comes across in the directory structure. In this case the first one
will be the modified version of explorer.exe in the root directory, which
is a Trojan.

UNIRAS Assessment
This new Code Red variant has the ability to infect systems originally
infected with the first two variants. Variant three will overwrite the
other variants.  As this new variant does not have a flooding capability
it will not flood the former Whitehouse IP address on the 20th of the
month. The increased number of threads executed by the new variant, and
its feature of searching thoroughly within a subnet means there is a much
greater risk than before of localised Denial of Service. By 6 August there
should be no non-Chinese systems infected with code red, only thousands of
systems that contain a back door.