FACTOID # 29: 73.3% of America's gross operating surplus in motion picture and sound recording industries comes from California.
 Home   Encyclopedia   Statistics   States A-Z   Flags   Maps   FAQ   About 


FACTS & STATISTICS    Advanced view

Search encyclopedia, statistics and forums:



(* = Graphable)



Encyclopedia > Code Red (computer worm)
Computer security Portal

The Code Red worm was a computer worm released on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server. The most in-depth research on the worm was performed by the programmers at eEye Digital Security. They also gave the worm its name, a reference to a variety of Mountain Dew soft drink and the phrase "Hacked By Chinese!" (see Red Scare) with which the worm defaced websites. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the infected hosts reached 359,000.[1] Image File history File links Portal. ... A computer worm is a self-replicating computer program. ... July 13 is the 194th day (195th in leap years) of the year in the Gregorian Calendar, with 171 days remaining. ... 2001 (MMI) was a common year starting on Monday of the Gregorian calendar. ... Microsoft is one of few companies engaging itself in the console wars Where they are up against sony, nintendo, and of course sharps new console which may cause a threat. ... IIS (Microsoft Internet Information Services or Server) is a set of Internet based services for Windows machines. ... Wikimedia servers architecture The term Web server can mean one of two things: A computer that is responsible for accepting HTTP requests from clients, which are known as Web browsers, and serving them HTTP responses along with optional data contents, which usually are Web pages such as HTML documents and... The title given to this article is incorrect due to technical limitations. ... This article or section does not cite its references or sources. ... Some factual claims in this article need to be verified. ... July 19 is the 200th day (201st in leap years) of the year in the Gregorian Calendar, with 165 days remaining. ...


How it worked

Exploited vulnerability

The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.

The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a breach of system security. ...

Worm payload

The payload of the worm included:

  • It defaced the affected web site to display:

    HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

    (The last sentence became a stock phrase to indicate an online defeat)
  • It tried to spread itself by looking for more IIS servers on the Internet.
  • It waited 20-27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.[1]

When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs from this time frequently had entries such as these: [2] A stock phrase is a spoken phrase which has little if any actual meaning of its own (a phatic expression); it carries meaning only through custom or context. ... A denial-of-service attack (also, DoS attack) is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. ... An IP address (Internet Protocol address) is a unique address that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP)—in simpler terms, a computer address. ... North façade of the White House, seen from Pennsylvania Avenue. ... Apache HTTP Server is a free software/open source web server for Unix-like systems, Microsoft Windows, Novell NetWare and other operating systems. ...

%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

Similar worms

Main article: Code Red II

On August 4, 2001 Code Red II appeared. Code Red II is not a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer. Code Red II is a computer worm similar to the Code Red worm. ... August 4 is the 216th day of the year in the Gregorian Calendar (217th in leap years), with 149 days remaining. ... 2001 (MMI) was a common year starting on Monday of the Gregorian calendar. ... Code Red II is a computer worm similar to the Code Red worm. ... Wikipedia does not yet have an article with this exact name. ... In cargo transport, the payload is the valuable contents of the vehicle. ... A pseudo-random number is a number belonging to a sequence which appears to be random, but can in fact be generated by a finite computation. ...

eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter worm). The City of Makati, or simply Makati, is one of the most important cities in the Philippines in terms of finance and commerce. ... The VBS/Loveletter computer worm, also known as Iloveyou or Lovebug, is a computer worm written in VBScript. ...


  1. ^ a b Moore, David; Colleen Shannon (2001?). The Spread of the Code-Red Worm (CRv2). CAIDA Analysis. Retrieved on 2006-10-03.
  2. ^ The worm's payload is the string following the last 'N'. A vulnerable host interprets this string as computer instructions

-1... October 3 is the 276th day of the year (277th in leap years) in the Gregorian Calendar. ...

See also

This is a list of noteworthy computer viruses and worms. ...

External links



Share your thoughts, questions and commentary here
Your name
Your comments

Want to know more?
Search encyclopedia, statistics and forums:


Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms, 1022, m