Code Red II - Version D is on the loose reports TruSecure
A new permutation of the Code Red II worm is on the loose, but while security experts believe its impact will be minimal, they say the appearance of the new worm could be a harbinger of trouble.
The new variant, which has initially been dubbed CodeRed.d, is nearly identical to its predecessor except for two minor pieces of code, according to Roger Thompson, head of malicious code research at TruSecure Corp....
New Code Red II Variant Reported
By Brian McWilliams for Newsbytes
The new worm has replaced a fragment of code known as an "atom" that was unique to the earlier version, the string "CodeRedII," with a series of underscore characters. In addition, the byte at offset 07C5 is changed from a 0 to an FF, according to Thompson, who announced the discovery today on a number of security mailing lists.
The minor tweaks in CodeRed.d appear to be a deliberate attempt to evade poorly designed intrusion detection systems or anti-virus software that is merely looking for the "CodeRedII" string, according to Thompson.
"People need to stay vigilant. This demonstrates that Code Red is not a dead issue in the minds of bad guys," said Thompson.
Thompson said he first stumbled upon CodeRed.d after writing a program that listens for traffic on the Web server's port 80 and captures a checksum or digital fingerprint of the probe. The program, WormCatcher, first received the new worm from a system in Korea, followed by a college in the United States. Four additional probes by the new worm have come from other sites around the world today, according to Thompson.