Revamped internet worm attacks web servers
( 2001-08-07 11:12 ) (7 )

A new variation of the troublesome Code Red worm is spreading throughout the Internet on Monday. And according to security experts, a twist on "Code Red II" makes it more harmful than the previous version.

The new worm, which was first discovered on Saturday, exploits the same software vulnerability as the original Code Red bug that infected computers in mid-July.

But instead of just defacing Web sites and spreading itself to other computers, this new bug leaves infected servers vulnerable to further attacks by leaving so-called trojans - programs that give hackers secretive "back door" access to computers.

Spreads Faster

In addition to a more damaging outcome, Code Red II may be spreading faster than the original. According to The Associated Press, security experts say the new worm is about 4,000 times faster in finding new computers to infect than its predecessor.

Marty Lindner, a team leader at the CERT Coordination Center, a government-sponsored computer network monitoring group, says the first Code Red worm infected other computers on the Internet by randomly searching for other computers.

“This new version still scans randomly," he told ABCNEWS. "But it's also been modified so that it scans the local network first."

Lindner says this modification may create more of an impact on local networks than on the larger overall Internet network. But some computer users may see a sluggish Internet connection if their Internet service providers have been infected with the new worm.

Patches Available

Both Code Red worms affect Web servers that run certain versions of Microsoft's Windows NT and Windows 2000 software, also loaded with Microsoft's Internet Index Server software for networking. Computers that use Microsoft's other operating systems, such as Windows 98 or Windows ME, are not vulnerable.

Security experts say that computer administrators should protect their networks from the worms by applying software patches released by Microsoft last June.

But with more than 150,000 to 200,000 servers already infected with the original Code Red worm last week, "Clearly the people haven't gotten to (downloading) it yet," says CERT's Lindner.

For computers that have already been infected by the new worm Lindner says that anti-virus programs can help remove the bug. "Once the backdoors are there, you don't know what's gotten into your system," he says. "At that point, you have to format the disk and start over."

Troubled Tracking

Unlike the previous version, the new Code Red worm is also more difficult to track.. As of late on Monday, security experts were still trying to determine how many servers may have been infected with the new worm.

Jerry Freese, director of intelligence at Vigilinx, a digital security solutions provider in Parsippany, N.J., says he's seen unconfirmed reports that show an estimated 91,000 servers have succumbed to the new bug.

Freese notes that these initial reports seem to indicate that the spread of the new Code Red is only a "bit slower" than the initial worm of last month. Still, he says that the spread of the new worm underscored the importance for network administrators to make the appropriate fixes.

“People are calling this a dramatic spread," he said. "In effect, it is because this many servers shouldn't be infected (with the new bug) in the first place if all the patches were in place."