You may have seen news reports about the Code Red worm.
* UVM has today and tomorrow to protect systems
* Code Red is set to beginning scanning and infecting
systems at 8:00 Tuesday evening, July 31.
Is a system you're responsible for vulnerable? SANS has warned:
"Every organization or person who has
Windows NT or Windows 2000 systems
AND the IIS web server software
may be vulnerable.
"IIS is installed automatically
for many applications. If you are
not certain, follow the instructions
attached to determine whether you are
running IIS 4.0 or 5.0."
Please apply the patch today, or take the system offline until you
have been able to apply the patch.
More information appears below. At least one UVM server was
determined to be infected this morning.
We probably can't hope that since the FBI is involved, the worm might
turn up missing, so thank you for securing systems so that the impact
of Code Red on UVM is minimized.
---------- Forwarded message ----------
Date: Sun, 29 Jul 2001 15:17:13 -0600 (MDT)
>From: The SANS Institute <[log in to unmask]>
Subject: SANS Security Alert. Code Red Is Set to Come Storming
-----BEGIN PGP SIGNED MESSAGE-----
SANS Security Alert. Code Red Is Set to Come Storming Back!
SANS, Microsoft, the NIPC, CERT/CC and four other leading security
organizations released the following alert today (Sunday, January 29)
at 4 pm. EDT.
A Very Real and Present Threat to the Internet: July 31 Deadline For Action
Summary: The Code Red Worm and mutations of the worm pose a continued
and serious threat to Internet users. Immediate action is required
to combat this threat. Users who have deployed software that is
vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they have not done so already, a vital security patch.
How Big Is The Problem? On July 19, the Code Red worm infected more
than 250,000 systems in just 9 hours. The worm scans the Internet,
identifies vulnerable systems, and infects these systems by installing
itself. Each newly installed worm joins all the others causing the
rate of scanning to grow rapidly. This uncontrolled growth in
scanning directly decreases the speed of the Internet and can cause
sporadic but widespread outages among all types of systems. Code Red
is likely to start spreading again on July 31st, 2001 8:00 PM EDT and
has mutated so that it may be even more dangerous. This spread has
the potential to disrupt business and personal use of the Internet
for applications such as electronic commerce, email and entertainment.
Who Must Act? Every organization or person who has Windows NT or
Windows 2000 systems AND the IIS web server software may be vulnerable.
IIS is installed automatically for many applications. If you are not
certain, follow the instructions attached to determine whether you
are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98,
or Windows Me, there is no action that you need to take in response
to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install Microsoft's
patch for the Code Red vulnerability problem: Windows NT version 4.0:
Windows 2000 Professional, Server and Advanced Server:
Step-by-step instructions for these actions are posted at
Microsoft's description of the patch and its installation, and the
vulnerability it addresses is posted at:
Because of the importance of this threat, this alert is being made jointly by:
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
Internet Security Systems
Internet Security Alliance
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
From [log in to unmask] Mon Jul 30 07:06:27 2001
Date: Sun, 29 Jul 2001 23:41:33 -0400
From: [log in to unmask]
To: [log in to unmask]
Subject: Code Red Security Alert Followup
At 8:00 PM on Tuesday, July 31 (EDT), the Code Red worm will begin a new
infestation and this one appears set to damage far more ISPs and slow the
Internet far more than the June 19th infestation. Several of your systems
were infected. If they are not patched by July 31, they will be reinfected
and can damage your operations and hurt all your users by slowing their
operations. Because a mutation of the worm is now loose, additional
systems may also become part of the problem. The FBI, CERT/CC, Microsoft
and SANS issued a major warning earlier today
(http://www.digitalisland.net/coderedalert). All of us hope you can help
us stop this infrastructure attack.
The systems we found to be infected were:
To correct this problem, each user needs to do only four things.
1. Determine whether the system is running Microsoft IIS 4.0 or 5.0
on Windows 2000 or Windows NT.
2. If it is, download the appropriate patch:
Windows NT version 4.0:
Windows 2000 Professional, Server and Advanced Server:
3. Run the patch
4. Reboot the system.
Step-by-step directions along with a 30 minute presentation on this worm,
may be found at http://www.digitalisland.net/codered.
Your part in solving the problem is to make sure each of the users on the
list above do these four things, and that each of your other users who run
IIS also patch their systems.
If you have questions about Code Red, please email [log in to unmask] with the
subject Code Red ISP question.
Our goal in sending this note is to ask you to help protect the Internet
from what the FBI and Microsoft are calling "A Very Real and Present
Threat to the Internet." But we also hope to let the world know about ISPs
who are concerned about their clients' security.
Chief Technology Officer
The Internet Storm Center
The SANS Institute
[log in to unmask]
Dean Williams [log in to unmask]
Assistant Director for Client Services 656-1174
Division of Computing & Information Technology FAX 656-0872