Unlike the original Code Red worm, Code Red II will not disappear by simply rebooting the infected machine. Code Red II leaves a nasty backdoor that hackers can use to further exploit an infected computer. We’re going to take a closer look at this “Trojan horse” planted by Code Red II and explain how to avoid it or remove it.

Code Red II employs a new tactic
Both versions of Code Red reside entirely in memory, so rebooting a system will remove them, although the system will likely be reinfected unless you first apply the patch from Microsoft.

Since the original Code Red worm doesn’t leave a payload behind, it’s relatively easy to clean up—but you may not want to. Code Red (and apparently Code Red II) don’t reinfect systems that already have Code Red in memory. Therefore, until you are prepared to reboot and install the patch, it might actually make sense to temporarily leave the original Code Red worm on some systems to block the much more dangerous Code Red II.

Think about this: Code Red II spread very rapidly to a quarter of a million systems, but many of those same systems had almost certainly been infected by the original version of the worm. That means that the administrators removed the original Code Red worm by rebooting or through normal maintenance but failed to install the patch. Otherwise, they wouldn’t have been infected by Code Red II.

Code Red II is memory resident, and under certain conditions, it will even trigger a reboot on its own to remove the code. But merely rebooting doesn’t do much good. Code Red II also plants a Trojan (a backdoor for hackers to enter the system) that infects versions of Explorer.exe on the machine. The problem may go completely undetected, especially if the worm triggered a reboot and is thus no longer infecting the system.

Determining whether you’ve been hit by Code Red II
According to the SANS Institute analysis, the worm copies %windir%\CMD.EXE to the following locations:

  • c:\inetpub\scripts\root.exe
  • c:\progra~1\common~1\system\MSADC\root.exe
  • d:\inetpub\scripts\root.exe
  • d:\progra~1\common~1\system\MSADC\root.exe

The Privacy Software Corporation explains this in some detail and is providing a free tool that will help you remove Code Red II from an infected server.

But if the worm may trigger a reboot and remove all traces of itself from system memory, how do you even know if your system has been infected by Code Red II?

A quick search for extra copies of Explorer.exe is one place to start. On a clean WinNT or Win2K system, you shouldn’t see any .exe files in the root directory (e.g., “C:\”). Explorer.exe is normally located in the \winnt directory. Basically, there shouldn’t be a copy of Explorer.exe in C:\ or D:\ root directories. If there is, then the machine has probably been infected.

You can also look for copies of your system’s Cmd.exe file, which the worm copies to \inetpub and \progra~1 subdirectories, as explained above. The files are legitimate—just copies of your original—but they shouldn’t be in those directories. Removing those false Explorer.exe files and the copies of Cmd.exe will remove the Trojan door itself but won’t alert you to any damage already done by other attacks.

Those are two quick and dirty ways to check your system and may be all you need to do before installing the patch. Another way to look for Code Red infections is to use a scanner. Symantec (Norton) has a small utility program that will scan your system to see if your server needs to be dewormed. Symantec also maintains a site where you can obtain free virus and other vulnerability scanners. You can check individual computers online just by clicking on the Security Check link, but there are also information pages and downloads available. The online scan is intended for home users but may be useful for some businesses. One of the scans produces an interesting report on open Trojan horse ports.

Dealing with the Code Red II Trojan
The scripts and MSADC directories where Code Red II places bogus copies of Root.exe have execute permission by default, so the copied files prop a backdoor wide open for anyone to wander in. And because Code Red II places its custom version of Explorer.com in the root directories of the C: and D: drives, that version will execute before the legitimate version of the program. This is known as the “Relative Shell Path Vulnerability” (in Windows NT 4.0 and Windows 2000) and is addressed by Microsoft Security Bulletin MS00-052, which carries details and links to patches.

As a result, the Code Red II infection creates a gigantic backdoor to your system. So merely removing the fake Explorer.exe and the Cmd.exe files may not clean out your system. In addition, the utilities that remove the backdoor may not really clean out your system either because virtually anything could have been inserted through that backdoor by some other attack that’s completely unrelated to Code Red II.

Thus, as far as I can determine, the only foolproof way to deal with an actual Code Red II infection is to reformat the hard drive, reinstall Windows NT/2000 Server, install the patch, and reinstall all your programs on a clean system. Unfortunately, that is what I would recommend.

Additional resources
You can learn more about Code Red II from the initial analysis of Code Red II by security site eEye.com. The analysis emphasizes that although Code Red II uses the same vulnerability (i.e., unpatched holes in IIS .ida), it is, in fact, not a variant of the initial Code Red but an entirely new worm. The SANS Institute Code Red II report provides additional information.

Have you been hit by Code Red II?

Did you find hackers exploiting the Trojan left by Code Red II? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.