Son-of-Code-Red brings new risk to vulnerable servers

Son-of-Code-Red brings new risk to vulnerable servers

• By William Jackson
• Aug 06, 2001

A new Internet worm that exploits the same vulnerability as Code Red is installing back doors on servers that leave infected machines wide open to future exploitation.

Although the new worm could be more dangerous than Code Red, the same patch that fixes the vulnerability in Microsoft's Internet Information Services software can thwart it. Most agencies have patched their systems and weathered the Code Red resurgence over the past week with only one reported infection, said Lawrence Hale, director of liaison for the Federal Computer Incident Response Team.

'The government was well-prepared for last week's propagation phase of Code Red,' Hale said. 'The same machines should be safe from the new variant. But for those machines that are not patched, the stakes have increased.'

The new worm seems to affect primarily systems running Windows 2000 and IIS. Rebooting infected machines can eliminate Code Red, but this will not remove the Trojan back door left by the new worm.

Because the malicious code can disguise itself and locating it can be difficult, the best course of action for servers running the vulnerable software is to reformat the hard drive and reinstall the operating system with the Microsoft patch, Hale said.