Win32.IISWorm.CodeRed.F

( N/A )

SYMPTOMS:

Presence of files:

c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe

TECHNICAL DESCRIPTION:

The worm exploits a buffer overflow vulnerability in the Microsoft Windows IIS Server, that runs on Microsoft Windows NT and Windows 2000. The patch and information about this problem can be found at the address:

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

The worm begins spreading itself by sending HTTP queries. Unpatched machines will execute the worm code directly from memory. Once executed, the worm scans kernel32.dll 's export table for the GetProcAddress function and then finds the addresses of the functions needed for further spreading. It then exploits yet another bug in Microsoft Windows, the relative shell path vulnerability.

Details on this bug are available from:

http://www.microsoft.com/technet/security/bulletin/MS00-052.asp

this particular vulnerability is used to load another shell program instead of the usual explorer.exe (found in %WINDIR%) by writing a file named explorer.exe in the %SYSTEMROOT% directory. The worm checks whether Chinese (either Traditional or Simplified) is the language installed on the system. If it is Chinese, it creates 600 threads and spreads for 48hours. On a non-Chinese system it creates 300 threads and spreads for 24 hours.

After that, it reboots the system using ExitWindowEx function. The worm dumps part of its body to %SYSTEMROOT%explorer.exe, which is in fact a trojan component, allowing the attacker to remotely access the infected computers.

The trojan component modifies the registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable]

to disable file system security and allows a remote attacker to access drives C: and D: via a web browser by adding read/write rights using the registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots]

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender codered.zip tool does the following:

it detects all the known Win32.IISWorm.CodeRed versions;

it deletes the files infected with Win32.IISWorm.CodeRed;

it kills the process from memory;

it repairs the Windows registry.

You may also need to restore the affected files.

It is highly recommended to install the latest IIS patches available from the Microsoft Website.

ANALYZED BY:

Mihai Chiriac BitDefender Virus Researcher