Signature Detail

WORM: CodeRed v2 Worm Infection Attempt

This signature detects attempts by the CodeRedII worm to infect a host. The CodeRedII worm, also known as CodeRed.F, exploits the same vulnerability as the original CodeRed worm.

Extended Description

Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context. Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. **UPDATE**: An aggressive worm that actively exploits this vulnerability is believed to be in the wild.

Affected Products

• Cisco Building Broadband Service Manager (BBSM) 2.5.1
• Cisco Building Broadband Service Manager (BBSM) 3.0.0
• Cisco Building Broadband Service Manager (BBSM) 4.0.1
• Cisco Building Broadband Service Manager (BBSM) 4.2.0
• Cisco Building Broadband Service Manager (BBSM) 4.3.0
• Cisco Building Broadband Service Manager (BBSM) 4.4.0
• Cisco Building Broadband Service Manager (BBSM) 4.5.0
• Cisco Building Broadband Service Manager (BBSM) 5.0.0
• Cisco Building Broadband Service Manager (BBSM) 5.1.0
• Cisco Building Broadband Service Manager (BBSM) 5.2.0
• Cisco Call Manager 1.0.0
• Cisco Call Manager 2.0.0
• Cisco Call Manager 3.0.0
• Cisco Call Manager 3.1.0
• Cisco Call Manager 3.1.0 (2)
• Cisco Call Manager 3.1.0 (3a)
• Cisco Call Manager 3.2.0
• Cisco Call Manager 3.3.0
• Cisco Call Manager 3.3.0 (3)
• Cisco Call Manager 4.0.0
• Cisco Call Manager
• Cisco Collaboration Server
• Cisco Dynamic Content Adapter
• Cisco ICS 7750
• Cisco ICS Firmware 1.0.0
• Cisco ICS Firmware 2.0.0
• Cisco IP/VC 3540 Application Server
• Cisco Media Blender
• Cisco Trailhead
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.1.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Cisco Unity Server 2.46.0
• Cisco Unity Server 3.0.0
• Cisco Unity Server 3.1.0
• Cisco Unity Server 3.2.0
• Cisco Unity Server 3.3.0
• Cisco Unity Server 4.0.0
• Cisco Unity Server
• Cisco uOne 1.0.0
• Cisco uOne 2.0.0
• Cisco uOne 3.0.0
• Cisco uOne 4.0.0
• Cisco uOne Enterprise Edition
• Microsoft Indexing Services for Windows 2000
• Microsoft Index Server 2.0

References

• BugTraq: 2880
• CVE: CVE-2001-0500
• URL: http://secunia.com/virus_information/4740
• URL: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=CODERED.F&VSect=T
• URL: http://securityresponse.symantec.com/avcenter/venc/data/codered.f.html