WORM: Code-Red Infection Attempt
The signature detects attempts to infect an Microsoft IIS server with the Code Red worm using a .ida buffer-overflow attack. The installed worm downloads code from the donor host, creates a backdoor on the victim, and sets up 100 threads of the worm that scan for other vulnerable hosts using random IP addresses. Code Red also checks the host system time; on the 20th of each month (GMT), all infected systems send 100k bytes of data to TCP/80 of www.whitehouse.gov, causing a denial of service (DoS).
Extended Description
Code Red conducts distributed denial of service attacks on www.whitehouse.gov, and cause general denial of services on local and remote networks due to massive bandwidth usage.
Short Name
WORM:CODERED:INFECTION-ATTEMPT
Severity
Minor
Recommended
False
Recommended Action
None
Category
WORM
Keywords
Attempt Code-Red Infection
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown