Signature Detail
Short Name |
WORM:CODERED:INFECTION-ATTEMPT |
|---|---|
Severity |
Medium |
Recommended |
No |
Category |
WORM |
Keywords |
Code Red |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
WORM: Code-Red Infection Attempt
The signature detects attempts to infect an Microsoft IIS server with the Code Red worm using a .ida buffer-overflow attack. The installed worm downloads code from the donor host, creates a backdoor on the victim, and sets up 100 threads of the worm that scan for other vulnerable hosts using random IP addresses. Code Red also checks the host system time; on the 20th of each month (GMT), all infected systems send 100k bytes of data to TCP/80 of www.whitehouse.gov, causing a denial of service (DoS).
Extended Description
Code Red conducts distributed denial of service attacks on www.whitehouse.gov, and cause general denial of services on local and remote networks due to massive bandwidth usage.