Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: W32/CodeRed.c, Troj/Codered-II, Trojan.CodeRed.8192, Win32:CodeRed-II

Win2k/CodeRed.D is a worm spreading in the Windows 2000 operating system.  It attacks web servers with Microsoft IIS (Index Server 2.0 and Indexing Service in Windows 2000, respectively) installed which have not installed the patch for this  the security vulnerability " Unchecked Buffer in Index Server ISAPI Extension".  Upon activation the worm checks the set local language.  If Chinese is set as the system language the worm spreads two times more aggressively than with any other system language. The worm checks the system date to find out if the year is less than 2002 or if the month is earlier than October.  If the date is outside these limits the system is restarted.  In other cases the worm randomly generates IP addresses and tries to send its copy to them.  If the target address belongs to a system that can be attacked (the aforementioned untreated error and suitable operating system) the worm will spread.  The worm runs up to 300 tasks at the same time searching, for vulnerable IP addresses.

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

The worm copies the file cmd.exe from the directory %windir%/System32 into the directory containing scripts (Disk_Name: \inetpub\scripts\root.exe\inetpub\scripts\ and into the directory Disk_Name: \progra~1\common~1\system\MSADC\ as the file root.exe.  In root directories of disks C: and D: the worm creates the file explorer.exe containing a Trojan horse.  From the directory %windir% the Trojan horse runs the file explorer.exe and manipulates the system registry.  It turns off the System File Checker by setting value of the key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable to 0FFFFFF9Dh.  It changes values of keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc to ",217".  It also creates the keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c with value "c:\,,217" and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d with value "d:\,,217".  By this activity, access to local disks of the computer from the Internet will be enabled.  The action of the Trojan horse is repeated in a loop.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.


ESET's NOD32 provides comprehensive, easy-to-use, and affordable protection from today's and tomorrow's threats. We put the malware expert inside the software, so you don't have to become one.




Solutions - Products - Purchase - Download - Support - Threat Center - Partners - Company - Global Sites
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.