Code Red II - Everything2.com

A man-made variant of the Code Red Worm^*, Code Red II (or CRII) was designed to exploit the delivery mechanism developed by Code Red. Distinct differences between the two:

CRII uses 300 threads (600 if the server has Chinese language encoding) instead of 100.
CRII targets most of its attacks against "nearby" networks. Nearness is a function of IP address similarity in front-end bits. Hence, CRII is optimized to infest small networks with a large number of infectable machines.
When it first infects a machine, CRII installs several backdoors into the webserver configuration, allowing anyone to remotely execute any command. If the machine is rebooted, these backdoors are not removed, although the active infection is.
One day (two days if Chinese) after infection, or anytime after October 1, 2001, the machine is rebooted.

One of the major deficiencies of CRII is its weakness in attacking through VPNs. Once all 300 threads exist, they will continue attacking "nearby" addresses, even if the infected machine is now on a different address (such as private IP space).

Many people feel that one can trivially defend oneself, but it should be noted that any attack against an infected machine that fails to actively remove the backdoors is naught but a temporary solution.

^* Note that CRv1 & CRv2 are names for versions of the original Worm. CRII is a variant.

Code Red Worm	We're all missing the point on computer security	Nimda	the plural of virus
Digital Ecosystem	Warhol Worm	LaBrea	Code Blue
College staple foods