Original release date: June 19, 2001
There has been a dramatic increase in reports of website defacements and scans for hosts listening on TCP port 80. This activity appears to be related to the "Code Red" worm, a recently discovered worm that exploits the buffer overflow in the IIS Indexing Service DLL. More information can be found at http://www.cert.org/advisories/CA-2001-13.html
· Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled
· Systems running Microsoft Windows 2000 (Professional, Server, Advanced Server, Datacenter Server)
· Systems running beta versions of Microsoft Windows XP
There is a remotely exploitable buffer overflow in one of the ISAPI extensions installed with most versions of IIS 4.0 and 5.0 (The specific Internet/Indexing Service Application Programming Interface extension is IDQ.DLL).
The vulnerability allows the attacker to run code of their choice. The attacker may have complete control of the victim's system. I think this kind of worm is a common one and administrators need to be aware of new system bugs and apply the appropriate fixes.
The solution to this problem is a apply patch. Appropriate patches to protect against attack can be downloaded from the Internet.
...