At 8:00 PM on Tuesday, July 31 (EDT), the Code Red worm will begin a new
infestation and this one appears set to damage far more ISPs and slow the
Internet far more than the June 19th infestation. Several of your systems
were infected. If they are not patched by July 31, they will be reinfected
and can damage your operations and hurt all your users by slowing their
operations. Because a mutation of the worm is now loose, additional
systems may also become part of the problem. The FBI, CERT/CC, Microsoft
and SANS issued a major warning earlier today
(http://www.digitalisland.net/coderedalert). All of us hope you can help
us stop this infrastructure attack.
The systems we found to be infected were:
To correct this problem, each user needs to do only four things.
1. Determine whether the system is running Microsoft IIS 4.0 or 5.0
on Windows 2000 or Windows NT.
2. If it is, download the appropriate patch:
Windows NT version 4.0:
Windows 2000 Professional, Server and Advanced Server:
3. Run the patch
4. Reboot the system.
Step-by-step directions along with a 30 minute presentation on this worm,
may be found at www.digitalisland.net/codered.
Your part in solving the problem is to make sure each of the users on the
list above do these four things, and that each of your other users who run
IIS also patch their systems.
If you have questions about Code Red, please email [log in to unmask] with the
subject Code Red ISP question.
Our goal in sending this note is to ask you to help protect the Internet
from what the FBI and Microsoft are calling "A Very Real and Present
Threat to the Internet." But we also hope to let the world know about ISPs
who are concerned about their clients' security.
Chief Technology Officer
The Internet Storm Center
The SANS Institute