The Code Red worm works by exploiting the .ida overflow bug (which had been patched for weeks before the discovery of the worm) in order to overwrite the worm's code into one of IIS's DLLs. Once there, it spawns 100 threads:
- Threads 1 - 99:
- If time is before 20:00 UTC, attempt to infect random1 other IPs.
- If time is greater than 20:00 UTC, flood whitehouse.gov2.
- Thread 100:
- If server is set to the enUS codepage (US English), alter some DLL so that it will load a page from within's the worm's memory rather than http://localhost/index.* (see Stavr0's writeup in Code Red).
- Else act like threads 1 through 99.
1: Although the list of IPs appears random, the worm has a hardcoded seed for its random number generator. It has been speculated that the worm's author chose a seed that would have eir IP high on the list so ey could get a list of infected servers.
2: The DDoS attack was directed at a hardcoded IP previously used by whitehouse.gov, therefore in order to avoid the attack the administrators changed the IP of their server.
Some interesting features of this worm:
- It contains a lysine deficiency (type: Anti-Lysine) in that it will shut down if a particular file exists on the hard drive.
- It can infect a system more than once, creating yet another 100 threads.
- It has been seen on some of Microsoft's Windows Update servers, which means that Microsoft isn't applying its own security patches on one of the most important sites on the Net (crackers could get everyone updating Windows to download malicious code).
Also:
- There are two rumours3 why it's named "Code Red":
- Slashdot is running a contest to guess the NYT and WSJ's headlines concerning the worm.
3: See cordelia's write-up, below.
Source: discussions on Slashdot and the security bulletin Stavr0 mentioned.