3rd version of Code Red computer worm detected, South Korea says

Reuters Aug. 10, 2001 04:23:00

SEOUL - The Code Red computer virus has mutated into a third more dangerous variant, South Korea's Information and Communication Ministry said today.

''About 10 damage reports have come in which were believed to have been the result of the latest Code Red III,'' Ko Kwang-sup, an official at the ministry, told Reuters.

He said the Code Red III worm spreads even faster than earlier versions and leaves a wider ''back door'' on infected machines, making them more vulnerable to future hacking.

The ministry said about 43,201 servers at 15,000 Korean organizations or companies had been hit by versions of Code Red so far. Nearly 1,400 instances of damage had been reported.

''Actual damage might have been higher than reported figures,'' the ministry said in a statement.

The Code Red worm spreads surreptitiously through a hole in certain Microsoft software such as Internet Information Server (IIS) Web software and Windows NT or 2000 machines operating systems.

The Information and Communication Ministry said small companies and educational institutions had been hardest hit by the so-called ''worm.''

http://www.arizonarepublic.com/arizona/articles/0810NET-TECH-CODERED-VIRUS-DC.html

-- Martin Thompson (mthom1927@aol.com), August 10, 2001

Answers

Oh, goodness no, not still another one.

-- LillyLP (lillyLP@aol.com), August 10, 2001.

It's amazing that a worm, for which a "vaccine" has been readily available, for such a long time; still causes so much havoc. It's sheer negligence and complacency.

How bad will things get when a virus is unleashed, for which there is no "vaccine" available for some time?

-- Robert Riggs (rxr.999@worldnet.att.net), August 11, 2001.

08/10/2001 - Updated 03:47 PM ET 'Code Red': The virus that will not die

By Jim Hopkins, USA TODAY

SAN FRANCISCO — The fast-moving Code Red computer worm keeps dodging the high-tech bullets meant to kill it. Among the latest victims: FedEx, AT&T and Microsoft — which for weeks has urged customers to install its patch against the worm. As many as 800,000 computers worldwide have been hit, causing business disruptions and Internet slowdowns. Code Red is the biggest Internet threat since last year's Love Bug.

http://www.usatoday.com/life/cyber/tech/2001-08-10-code-red-wont- die.htm#more

-- Martin Thompson (mthom1927@aol.com), August 11, 2001.

I saw one headline yesterday that said version two had been very hard on China.

-- Rachel Gibson (rgibson@hotmail.com), August 11, 2001.

My ISP is AT&T, and my Internet service has been very poor, with rapid disconnections, and sometimes unable to log on at all. Short msg. fear disconnect any second.

-- Robert Riggs (rxr.999@worldnet.att.net), August 17, 2001.

The following are two recent postings of mine at http://www.timebomb2000.com/vb/showthread.php? s=&postid=40397#post40397 dated 8/14 and 8/17. Since there are on topic, I thought I would crosspost them here.

8/14/2001 Posting

"......a few days ago I had a conversation with a computer systems expert. He works for an organization that is frantically helping companies minimize damage being inflicted by the Code Red worm virus. It is fascinating to see the similarities as well as differences between efforts to keep Y2K-related failures under wraps and efforts to keep Code Red problems under wraps. A concern for possible economic repercussions seems to be one of the key similarities from what one of the experts was telling me."

8/17/2001 Posting

"I would be interested in hearing comments to my last posting, particularly about the comparison between the way organizations have been reluctant to talk about damages they have incurred as a result of Code Red virus attacks.

Is anyone else aware of the pressures within organizations to downplay the seriousness of Code Red problems or to keep the extent of the problems under wraps? Anyone out there who is in a position to at least speak anonymously and off the record?

One systems expert who is working to minimize the damage tells me that he hears that an estimated 2 billion dollars worth of damage has been done so far by this virus. He also said that there is apparently no end in sight. From what I gather, recurring onslaughts are expected to go off monthly.

The Code Red virus threat has the earmarks of being the kind of complex technology problem that eludes the understanding of public officials, the media, and the public. It could also be that there are frantic efforts at the national and global levels within the public and private sectors to address the problem and little of what is going on has come to the attention of the media."

End of crossposts from TB2K.

-- Paula Gordon (pgordon@erols.com), August 18, 2001.

I thought you might be interested in the following:

http://www.timebomb2000.com/vb/showthread.php?s=&threadid=5427

Here is an excerpt from the thread on the impact (and the possible origins) of the Code Red worm virus dated 8/17:

"Having spent the past week helping clean out a major Tech industry player that got hit by the Code Red worm, I have had plenty of opportunity to learn about it. As I understand it, the general opinion is that the worm originated in Japan, not China (a country that has held low opinion of China in the past and wouldn't mind making them look bad). Engineers who have studied the code in the worm say that it has none of the hallmarks of chinese programming, and several indications that it was written in Japan. Apparently coders use different "syntax" in different parts of the world, depending on the way they were taught. It is remotely possible that it came from an independent chinese hacker, a hei ke (black guest, which is a really clever description of what a hacker is that happens to sound just like the english word), but definitely not from a government-backed or government-supporting hacker, known as a "Honker" or Hong Ke (red guest, for obvious reasons, and playing off the original hei ke term). Generally, though, from what has been seen of them, both Hei Ke and the honkers are fairly sophisticated, far more so than eastern european hackers or other asian hackers. Their attacks tend to be more comprehensive in the defacement they create, and don't just claim their chinese origin, as the worm would have you believe. The worm itself, however, is deviously written, in its method of attack. It is only a matter of time before someone randomizes the port it attacks, changes the application it looks for to something more ubiquitous like File and Print Sharing for Windows, or Client for Microsoft Networks or something, and puts a destructive payload in. TEOTWAWKI (the end of the web as we know it)"

End of crosspost

-- Paula Gordon (pgordon@erols.com), August 18, 2001.

Material on the Code Red worm virus that may be of interest can be found on the Gibson Research Corporation website at http://grc.com/codered/coderedii.htm Also this page from the same website has some sources of media coverage: http://grc.com/codered/codered.htm

-- Paula Gordon (pgordon@erols.com), August 18, 2001.