Virus Alert: CodeRed.F Able to Spread Indefinitely

Due to its high spreading capability, TrendMicro has declared a Yellow Alert to control the spread of this malware and to warn users of possible infection.

This worm, similar to the other variants of CodeRed, makes use of a remote-buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that can give system-level privileges to an attacker. It drops a backdoor program on an infected Web server, giving an attacker full access to this Web server, and in order to compromise network security.

This worm poses no risk to Windows 95, 98, and ME users. Windows NT and 2000 systems that do not have Microsoft's IIS Web Server installed are also not affected. This worm only affects computers running Microsoft IIS that have not been patched.

The only difference between this variant and CodeRed.C is the trigger date when it restarts the system. The .C variant restarts the system if the year is greater than 2002. This .F variant, on the other hand, executes the same routine if the year is greater than or equal to 34952.

System administrators of Web servers using Microsoft Windows NT 4.0 or Windows 2000 are being advised to download and install Microsoft's patches for the .IDA vulnerability. They can be found on this TrendMicro Web page.

CodeRed.F has been spreading since Tuesday, more than 18 months after the original CodeRed worm spread across the world faster than any worm before it, according to antivirus software vendor F-Secure.

However, since CodeRed.F still uses the old exploit to infect IIS Web Servers, the number of vulnerable machines is not too high. Most of them are forgotten Web servers or home machines without firewalls, the vendor says.

Aside from two bytes changed, CodeRed.F is almost identical to CodeRed II. CodeRed II stopped spreading at the end of 2002 -- the modification in CodeRed.F changes this and enables it to spread forever. Just like CodeRed II, this worm will install a backdoor to an infected Web server, enabling any Web surfer to easily execute commands on the server by just typing them in a special URL.

For more information about the original CodeRed worm, check this F-Secure page.

One indication that a system has been infected by the worm is computers restarting for no apparent reason, according to Panda Software, which is giving CodeRed.F a very low threat rating. Technical details are on this Panda Software page.

This virus exists in memory only, according to McAfee. Detection of the worm in memory requires process scanning. Removal instructions can be found here.

Symantec is giving CodeRed.F a medium damage assessment, with a high distribution potential. Read more on this Symantec page.

NiceHello Worm Increasing in Activity

Panda Software is reporting a marked increase in activity this week from the NiceHello worm, which the security software vendor says now heads the list of the viruses it is most frequently detecting.

NiceHello replaces Klez.I, which had topped the ranking for several months. The ability of this malicious code to spread rapidly by tricking users into opening an infected file has caused a large number of computers to fall victim to NiceHello.

For information about removing NiceHello from infected computers, check here.

Yaha Worm Strikes Again

W32/Yaha-R is a worm from the Yaha family. It shares many of the characteristics of W32/Yaha-Q, according to antivirus software vendor Sophos.

However, W32/Yaha-R stores itself on a hard disk under different file names than those used by the -Q variant. W32/Yaha-R places the files wintask32.exe and exeloader.exe into a system folder. (The -Q variant uses the names mstask32.exe and exeloader.exe.)

For removal instructions, go to this Sophos Web page.

VBS Prune Worm Using Iraq Crisis

Prune is a Visual Basic Script worm that spreads via email, mIRC and network shares, according to F-Secure. Once executed, the Prune worm copies itself as "UN_Interview.txt.vbs" in C:\Windows folder. Then it runs tree routines that will spread it via email, mIRC and network followed by a payload.

The worm uses MS Outlook application to spread to all contacts listed in each address book. This is how the infected email message appears:

Subject: US Goverment Material - Iraq Crisis
Body:
Attachment: UN_Interview.txt.vbs

For more details about the various ways the worm spreads; visit this F-Secure page.

Compiled by Esther Shein.