What is WORM???
Worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
WORM means (write once, read many).
What is CODE
RED??
Code Red is
a computer worm released on July 13,2001, also known as I-Worm. Code red was first
discovered and researched by eEye Digital Security
employees Marc Maiffret and Ryan Permeh. CODE RED is one of the worst virus attack of ALL TIMES. Although the worm had been
released on July 13, the largest group of infected computers was seen on July
19, 2001. The number of infected hosts reached 359,000.
The name
CODE RED was taken from a drink name Code Red Mountain Dew because that was
they were drinking at the time when they discover the virus. The technical name
of this virus is CRv1 and CRv2, type are Server Jamming Worm and originated in
China. It contains the text string “Hacked by Chinese”, which is displayed on
web pages that the worm defaces.
- Days 1 - 19: Trying to spread itself by looking for more IIS severs on the Internet.
- Days 20 - 27: Launch denial of server attacks on server fixed IP addresses. The IP address of the White House web sever was among those.
- Days 28 - end of month: Sleeps, no active attacks. It is believed that the worm will not "awaken" and will not spread again, unless deliberately executed again.
How the attack Works??
1. It scans the victim host to see if TCP port 80 is active.
2. It sends a specially constructed HTTP GET request to the victim, attempting to exploit a buffer overflow problem in the Indexing Service.
3. If step 2 works, Code Red starts to run on the victim system. The developers of this program built in a feature that prevents Code Red from infecting an already infected system, however, by creating a file named c:\notworm file in each infected system. If Code Red finds this file, the worm aborts.
4. Code Red than starts scanning the network for other systems in which TCP port 80 is active.
5. After a delay, Code Red checks the language used on the web server. If English is the language, it then defaces all web pages on the victim host with the message
GET
/default.ida?
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
New Version of CODE RED
CODE RED VERSION 2
On August 4, 2001 Code Red II appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly choose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
The signature of Code Red II will appear in the signature logs as:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Did you know that worm and virus are not the same??
Both Worm and Virus are manmade not by nature. Virus attaches itself to a program or file and spread itself from one computer to another. In other hand Worm is similar to a virus by design and considered to be a sub-class of a virus and it also spread from one computer to another computer. Worm has a capacity to spread without any human action unlike virus. Computer viruses are like human virus that can spread in any circumstance. It attacked organs and destroyed human system. In a computer, virus and worm can attack the hardware, software and file of your computer, it spread like an epidemic.
To prevent from these viruses you should have a firewall. A firewall is a system that prevents unauthorized use and access to your computer. Firewall can be either hardware or software that can protect your computer.
Viruses are dangerous to our computer so be careful in opening or downloading any unwanted or unknown file or site because it will cost you a lot of money to repair the damage that has been done.
Think before sending or creating a virus because it is not funny if someone’s computer is corrupted.
References:
http://computer.howstuffworks.com/virus5.htm
http://virus.wikia.com/wiki/CodeRed
http://en.wikipedia.org/wiki/Code_Red_(computer_worm)
http://www.lbl.gov/cyber/vulnerabilities/virus-archive_code-red.html