{"id":5510,"date":"2018-11-14T16:00:41","date_gmt":"2018-11-14T10:30:41","guid":{"rendered":"https:\/\/antivirus.comodo.com\/blog\/?p=5510"},"modified":"2021-02-24T13:42:36","modified_gmt":"2021-02-24T08:12:36","slug":"codered-worm","status":"publish","type":"post","link":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/","title":{"rendered":"What is Code Red Worm?"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5511\" src=\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/codered.png\" alt=\"codered\" width=\"650\" height=\"300\" srcset=\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/codered.png 650w, https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/codered-300x138.png 300w, https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/codered-225x104.png 225w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><br \/>\nCode red is a computer worm that was identified in July 2001, when computers running on Internet Information Services (IIS) web server of Microsoft were found compromised. The after effect of the attack caused a damage of billions of dollars in the summer of 2001.<\/p>\n<p>Marc Maiffret and Ryan Permeh employees of eEye Digital Security discovered this worm when it exploited an existing vulnerability discovered by Riley Hassell.<\/p>\n<p>The named the computer worm, &#8220;Code Red&#8221; is because they were drinking Code Red Mountain Dew when they confirmed it as a threat.<\/p>\n<p>It displays a text string &#8220;Welcome to worm.com Hacked by Chinese!&#8221; and it runs on the memory erasing all files present in the hard drive. It infected close to 359,000 hosts on July 19, 2001.<\/p>\n<h2>Behaviour of Code Red<\/h2>\n<p>Code Red lands on the server in the form of GET \/default.ida request on on TCP port 80. By this way the code is developed to exploit a buffer overflow vulnerability in Microsoft&#8217;s Internet Information Server (IIS) which is the indexing software. By doing so the code runs within the IIS server. The <a href=\"https:\/\/antivirus.comodo.com\/blog\/computer-safety\/worm-virus\/\">worm virus<\/a> is completely run in the memory and cannot be found on the disk. It occupies 3,569 bytes.<\/p>\n<p>The payload of the worm comprised of:<\/p>\n<ul>\n<li>Distorts the infected website to display:<\/li>\n<\/ul>\n<p><strong>HELLO! Welcome to http:\/\/www.worm.com! Hacked By Chinese!<\/strong><\/p>\n<p>It tries to spread its infection by finding more IIS servers on the Internet from Day 1 and Day 19<\/p>\n<p>Then in infects the system associated with specific IP addresses through Denial of Service attacks from day 20 to Day 27<\/p>\n<p>After which there are no active attacks from Day 28th of the month<\/p>\n<p>When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs<\/p>\n<h3><strong>Variants of CodeRed <\/strong><\/h3>\n<p><strong>Codered.II<\/strong><\/p>\n<p>This is a similar variant to the original that was found different in two major ways. The signature of CodeRed II infects the host with a trojan &#8211; Virtual Root to help hackers to establish a backdoor to access and control the host server. It replaces takes the place of multiple&#8217;s of N&#8217;s with X&#8217;s<\/p>\n<p><strong>Codeblue<\/strong><\/p>\n<p>It exploits the &#8220;Web Server Folder Traversal&#8221; Vulnerability to pass on the infection with new machines. This new variant targets IP addresses in random and sends FTP get request to the victim systems. The FTP get request stimulates the infected machine to download HTTPEXT.dll to an IIS folder that gives way to execute specific commands on the server. This then ensures that .dll file is executed with the URL request and ensures that the DLL to pass on the SVCHOST.exe file into C:\\ folder. Codeblue is made different from Codered as it is written on the hard drive and not on the memory.<\/p>\n<p><strong>CodeGreen<\/strong><br \/>\nIt is an anti-worm that finds its own way to enter the target machine<\/p>\n<p><strong>Effects<\/strong><br \/>\nOver 2 million computers were infected by Code Red that organizations had to invest $2.75 billion to recover the lost productivity.<\/p>\n<p><strong>Preventive measures<\/strong><\/p>\n<p>Update the Windows OS with the latest security patch. (Microsoft released a security patch update to protect vulnerable systems from Code Red attacks.)<\/p>\n<p>Implement the use of an effective <a href=\"https:\/\/www.comodo.com\/home\/internet-security\/free-internet-security.php\" target=\"_blank\" rel=\"noopener\">internet security suite<\/a> that includes <a href=\"https:\/\/www.comodo.com\/home\/internet-security\/antivirus.php\" target=\"_blank\" rel=\"noopener\">antivirus software<\/a> to scan, detect and remove unknown threats, a firewall that terminates suspicious outbound data traffic from IIS web server to stop the spread of the malware and other types of attacks as well, and most of all containment technology \u2013 that quarantines the suspicious threats and executes in an isolated environment to deliver complete protection from such threats like Code red.<\/p>\n<p><a href=\"https:\/\/antivirus.comodo.com\/download\/thank-you.php?prod=cloud-antivirus&#038;track=16678&#038;af=16678\" target=\"_blank\" rel=\"noopener\" onclick=\"ga('send', 'event', {eventCategory: 'Antivirus Blog', eventAction: 'Download', eventLabel: 'Bottom FREE DOWNLOAD banner Product AV'});ga('nT.send', 'event', {eventCategory: 'Antivirus Blog', eventAction: 'Download', eventLabel: 'Bottom FREE DOWNLOAD banner Product AV'});\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-8604\" src=\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/04\/Comodo-Free-Antivirus.png\" alt=\"comodo antivirus\"\/><\/a><\/p>\n<p><a href=\"https:\/\/secure.nurd.com\/home\/purchase.php?pid=109&#038;af=16166\" target=\"_blank\" rel=\"noopener\" onclick=\"ga('send', 'event', {eventCategory: 'Antivirus Blog', eventAction: 'Click', eventLabel: 'GET COMPLETE PROTECTION banner Product CIS Pro'});ga('nT.send', 'event', {eventCategory: 'Antivirus Blog', eventAction: 'Click', eventLabel: 'GET COMPLETE PROTECTION banner Product CIS Pro'});\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8604\" src=\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2020\/08\/complete-antivirus.png\" alt=\"comodo antivirus\" width=\"650\" height=\"83\" \/><\/a><\/p>\n<p><strong>Related Resources<\/strong><\/p>\n<p><strong><a href=\"https:\/\/antivirus.comodo.com\/blog\/computer-safety\/five-best-virus-and-malware-removal-tools\/\" target=\"blank\">Best Virus Removal<\/a><\/strong><\/p>\n<p><a href=\"https:\/\/antivirus.comodo.com\/antivirus-for-android.php\" target=\"blank\">Antivirus for Android<\/a><\/p>\n<p><a href=\"https:\/\/antivirus.comodo.com\/blog\/computer-safety\/wikipedia-taken-offline-massive-ddos-attack\/\" target=\"blank\" rel=\"noopener\">Wikipedia Hacked by DDoS Attack<\/a><\/p>\n<p><a href=\"https:\/\/antivirus.comodo.com\/virus-protection.php\" target=\"blank\" rel=\"noopener\">Virus Protection<\/a><\/p>\n<p><a href=\"https:\/\/antivirus.comodo.com\/virus-protection.php\" target=\"blank\" rel=\"noopener\">Virus Protection<\/a><\/p>\n<p><a href=\"https:\/\/antivirus.comodo.com\/blog\/computer-safety\/best-antivirus-of-2019\/\" target=\"blank\" rel=\"noopener\">Best Antivirus<\/a><\/p>\n<p><a href=\"https:\/\/www.comodo.com\/home\/internet-security\/antivirus-for-mac.php\">Mac Virus Removal<\/a><\/p>\n<p><a href=\"https:\/\/www.belugacdn.com\/blog\/hosting\/free-web-hosting\/\" rel=\"noopener\" target=\"_blank\">Free Web Hosting<\/a><\/p>\n<p><strong><a href=\"https:\/\/cwatch.comodo.com\/website-backup\/\" rel=\"noopener\" target=\"_blank\">Website Backup<\/a><\/strong><\/p>\n<p><strong><a href=\"https:\/\/webinspector.com\/\" rel=\"noopener\" target=\"_blank\">Website Malware Removal<\/a><\/strong><\/p>\n<p><strong><a href=\"https:\/\/www.webinspector.com\/website-malware-scanner\/\" rel=\"noopener\" target=\"_blank\">Website Malware Scanner<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.itarian.com\/itsm\/top-itsm-companies.php\" rel=\"noopener\" target=\"_blank\">Top ITSM Companies<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Code red is a computer worm that was identified in July 2001, when computers running on Internet Information Services (IIS) web server of Microsoft were found compromised. The after effect of the attack caused a damage of billions of dollars in the summer of 2001. Marc Maiffret and Ryan Permeh employees of eEye Digital Security [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":5513,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[9,262,263,208,97],"class_list":["post-5510","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-comodo-news","tag-antivirus","tag-code-red","tag-code-red-worm","tag-types-of-computer-virus","tag-virus-removal"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>What is Code Red Worm | How to remove Codered Worm from PC<\/title>\n<meta name=\"description\" content=\"Code red is a computer worm to perform a vulnerability assessment of your computer and remove the virus. It attacked computers Microsoft&#039;s IIS web server.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is Code Red Worm | How to remove Codered Worm from PC\" \/>\n<meta property=\"og:description\" content=\"Code red is a computer worm to perform a vulnerability assessment of your computer and remove the virus. It attacked computers Microsoft&#039;s IIS web server.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/\" \/>\n<meta property=\"og:site_name\" content=\"Comodo Antivirus Blogs | Anti-Virus Software Updates\" \/>\n<meta property=\"article:published_time\" content=\"2018-11-14T10:30:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-02-24T08:12:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png\" \/>\n\t<meta property=\"og:image:width\" content=\"225\" \/>\n\t<meta property=\"og:image:height\" content=\"170\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"seo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"seo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/\",\"url\":\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/\",\"name\":\"What is Code Red Worm | How to remove Codered Worm from PC\",\"isPartOf\":{\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png\",\"datePublished\":\"2018-11-14T10:30:41+00:00\",\"dateModified\":\"2021-02-24T08:12:36+00:00\",\"author\":{\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/#\/schema\/person\/e534eccce9a7e6ced088443c73329462\"},\"description\":\"Code red is a computer worm to perform a vulnerability assessment of your computer and remove the virus. It attacked computers Microsoft's IIS web server.\",\"breadcrumb\":{\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#primaryimage\",\"url\":\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png\",\"contentUrl\":\"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png\",\"width\":225,\"height\":170,\"caption\":\"what-is-codered\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/antivirus.comodo.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is Code Red Worm?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/#website\",\"url\":\"https:\/\/antivirus.comodo.com\/blog\/\",\"name\":\"Comodo Antivirus Blogs | Anti-Virus Software Updates\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/antivirus.comodo.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/#\/schema\/person\/e534eccce9a7e6ced088443c73329462\",\"name\":\"seo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/antivirus.comodo.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3b7714e98dafc3a3b391832c0f5e2b406856b62c8e81ad94382c197cdb380790?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3b7714e98dafc3a3b391832c0f5e2b406856b62c8e81ad94382c197cdb380790?s=96&d=mm&r=g\",\"caption\":\"seo\"},\"url\":\"https:\/\/antivirus.comodo.com\/blog\/author\/seo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is Code Red Worm | How to remove Codered Worm from PC","description":"Code red is a computer worm to perform a vulnerability assessment of your computer and remove the virus. It attacked computers Microsoft's IIS web server.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/","og_locale":"en_US","og_type":"article","og_title":"What is Code Red Worm | How to remove Codered Worm from PC","og_description":"Code red is a computer worm to perform a vulnerability assessment of your computer and remove the virus. It attacked computers Microsoft's IIS web server.","og_url":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/","og_site_name":"Comodo Antivirus Blogs | Anti-Virus Software Updates","article_published_time":"2018-11-14T10:30:41+00:00","article_modified_time":"2021-02-24T08:12:36+00:00","og_image":[{"width":225,"height":170,"url":"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png","type":"image\/png"}],"author":"seo","twitter_card":"summary_large_image","twitter_misc":{"Written by":"seo","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/","url":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/","name":"What is Code Red Worm | How to remove Codered Worm from PC","isPartOf":{"@id":"https:\/\/antivirus.comodo.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#primaryimage"},"image":{"@id":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#primaryimage"},"thumbnailUrl":"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png","datePublished":"2018-11-14T10:30:41+00:00","dateModified":"2021-02-24T08:12:36+00:00","author":{"@id":"https:\/\/antivirus.comodo.com\/blog\/#\/schema\/person\/e534eccce9a7e6ced088443c73329462"},"description":"Code red is a computer worm to perform a vulnerability assessment of your computer and remove the virus. It attacked computers Microsoft's IIS web server.","breadcrumb":{"@id":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#primaryimage","url":"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png","contentUrl":"https:\/\/antivirus.comodo.com\/blog\/wp-content\/uploads\/2018\/11\/what-is-codered.png","width":225,"height":170,"caption":"what-is-codered"},{"@type":"BreadcrumbList","@id":"https:\/\/antivirus.comodo.com\/blog\/comodo-news\/codered-worm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/antivirus.comodo.com\/blog\/"},{"@type":"ListItem","position":2,"name":"What is Code Red Worm?"}]},{"@type":"WebSite","@id":"https:\/\/antivirus.comodo.com\/blog\/#website","url":"https:\/\/antivirus.comodo.com\/blog\/","name":"Comodo Antivirus Blogs | Anti-Virus Software Updates","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/antivirus.comodo.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/antivirus.comodo.com\/blog\/#\/schema\/person\/e534eccce9a7e6ced088443c73329462","name":"seo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/antivirus.comodo.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3b7714e98dafc3a3b391832c0f5e2b406856b62c8e81ad94382c197cdb380790?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3b7714e98dafc3a3b391832c0f5e2b406856b62c8e81ad94382c197cdb380790?s=96&d=mm&r=g","caption":"seo"},"url":"https:\/\/antivirus.comodo.com\/blog\/author\/seo\/"}]}},"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/posts\/5510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/comments?post=5510"}],"version-history":[{"count":25,"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/posts\/5510\/revisions"}],"predecessor-version":[{"id":15886,"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/posts\/5510\/revisions\/15886"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/media\/5513"}],"wp:attachment":[{"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/media?parent=5510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/categories?post=5510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antivirus.comodo.com\/blog\/wp-json\/wp\/v2\/tags?post=5510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}