A Recurrence of the ‘Code Red’ Worm?

Kaspersky Labs comments on the rumors surrounding the epidemic concerning this menacing Internet worm.

At the beginning of this week, press agencies for the US, UK and other countries began warning about the unleashing of a new epidemic connected with the Internet worm “Bady” (a.k.a. “Code Red”), which is set to go into action on August 1. Unfortunately, the announcements that have sprung forth distort the actual situation, having caused panic amongst users. Kaspersky Labs considers it is necessary to clarify things.

Bady is a worm that spreads worldwide via the Internet, infecting computers operating Windows 2000, Microsoft Internet Information Server (IIS) (versions 4.0 and 5.0) with the Indexing Service switched on. The worm exploits a flaw in the IIS security known as “Unchecked Buffer in Index Server ISAPI Extension.” The flaw was detected in June of this year, and Microsoft has already issued the corresponding patch remedying this breach, with all anti-virus developers having added the proper software defense procedures to their databases, thwarting this worm.

Bady’s operating characteristics are such that the worm is only active from the 1st to the 27th of each month, after which all active worm copies automatically switch to “sleep mode” and no longer activate spreading procedures and do not manifect themselves in any other way. Bady has already successfully infected 350,000 computers worldwide, and there exists the distinct possibility that one system may have the date incorrectly entered (for example, 5 days behind), thus, storing the worm’s active copy. Only in this case, August 1 could see a repeat infecting of computers that have yet to be installed with the aforementioned patch for the IIS security or that have not downloaded the proper anti-virus software update. “We don’t exclude the possibility of a repeat Bady epidemic; however, the cases of infection by this worm will be sporadic and the scale of spreading won’t be anything like the first series of infections,” commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs There are several factors why a repeat of the earlier epidemic isn’t possible. Firstly, Bady’s existence has already been announced widely throughout the mass media, prompting the majority of system administrators to install the Microsoft patch and to update their anti-virus. Secondly, a repeat infection of computers causes a lowering of their productivity and a “bug in the works.” As a result, system administrators will have to conduct a manual cleaning of their computers and install the patch. Lastly, Bady is geared exclusively towards systems with IIS installed. This software is used only on the server environment in such a way that home users and users of similar software from other developers are not exposed to the Bady attack.

“Today, timely installing of the software update is one of the most important computer security rules. Bady is just further evidence to this point,” commented Denis Zenkin, Head of Corporate Communications for Kaspersky Labs. “Installing the Bady patch helps thwart this worm and its modifications alone. But this doesn’t protect against other malicious programs exploiting breaches in a software defense system.”