W32/Bady.C - Released Aug 01, 2001 - Last Updated Jul 02, 2003

Alias/es

CodeRed.C, CodeRedII

Visible Symptoms

  • Last updated on 7-2-2003: The new variant (CodeRed.F, a.k.a. Bady.F) differs from the earlier fast-spreading Code Red by two bytes.

  • The two changed bytes affect a "stop trigger" of sorts. Whereas the earlier CodeRed was originally programmed to *not* infect after a specific date, the new variant now infects all year round -- indefinitely.

  • High amount of network traffic originating from infected systems which run the IIS service

  • Creation of file named "Root.exe" on systems running the IIS service

Detailed Analysis

  • Virus exploits an indexing service (.ida) vulnerability in systems which run the IIS service - a request is made to retrieve data from the indexing service using a carefully crafted string which causes a buffer overflow and local code execution at the host

  • Virus installs itself memory resident on the target system and also drops a remote access Trojan which would allow a hacker control to the host - a reboot of the system will prevent the virus component from running again, unless the system becomes compromised again from another infection attempt from an outside source

  • Virus hooks routines from WS2_32.dll in order to attempt connections via http port 80 to other IP addresses where a server running IIS service could reside

  • Virus checks the language of the host system - if it is Chinese or Taiwan, virus creates 600 threads, otherwise 300 threads are generated; the threads represent attempts to reach other potential IP addresses which are generated at random

  • Virus attempts to copy CMD.EXE to these folders if they exist, as ROOT.EXE

    C:\Inetpub\Scripts\
    D:\Inetpub\Scripts\
    C:\Progra~1\Common~1\System\MSADC\
    D:\Progra~1\Common~1\System\MSADC\

    in order to allow a simple GET request to provide root access to the web server

  • Virus writes remote access Trojan as the file "C:\Explorer.exe" and if D: drive is available, also as "C:\Explorer.exe" - due to the location of this Trojan, it will be initiated when Explorer is called by the system

  • Virus contains the string "CodeRedII" in its code


Reference: ID - 322780