Latest CodeRed variant lacks built in obsolescence
Same old tricks with moderate-to-low risk worm
Eighteen months after Code Red wormed its way through insecure Microsoft IIS Web Servers, yet another variant has found its way onto the Internet.
CodeRed-F most closely resembles Code Red II, differing by only two bytes. This change means CodeRed-F is liable to spread indefinetly unlike CodeRed II, which was programmed to stop spreading at the end of 2002. An advisory by Finnish AV specialist F-Secure explains this point in more detail.
The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed-F (like CodeRed II) has a different payload that allows the hacker to have full remote access to the Web server.
All the CodeRed worms use a "buffer overflow" exploit to propagate through vulnerable Microsoft IIS Web servers.
Admins running IIS are strongly urged to apply a cummulative patch to guard against this, and other similar risks.
AV vendors rate CodeRed-F as only a moderate to low-risk worm, largely because the number of vulnerable IIS Web Servers is much reduced since the original outbreak of CodeRed and Nimda (which also spread using the same exploit).
Sponsored: Magic Quadrant for Client Management Tools