The virus' mutation makes it more dangerous than it was before.
Code Red takes advantage of a buffer overrun vulnerability on systems running Microsoft IIS v4.0 and v5.0, allowing the attacker to gain control of an infected server. Most system administrators and users will not even know they have been compromised, the advisory said.
The virus initially struck servers on July 19, infecting more than 250,000 servers in nine hours. The worm scans the Internet, identifies vulnerable systems, and infects them by installing itself. Each newly installed worm joins the others, causing the rate of scanning to grow rapidly.
This uncontrolled growth in scanning slows down the Internet and can cause sporadic, widespread outages among all types of systems.
Code Red also checks for a file named "c:notworm," which it leaves behind in an infected system. If the file is already there, Code Red goes dormant.
The worm then checks if the Web site that the server is running is in English. If so, the page is defaced with the message: "Hello! Welcome to http://www.worm.com! Hacked By Chinese!"
Detailed information on how to make your server less vulnerable to Code Red and what to do if it does get infected is being provided by Microsoft, the National Infrastructure Protection Center, the Federal Computer Incident Response Center (FedCIRC), and various technology industry groups.
Information about security patches and other preventive measures is available on Digital Island's Web site at http://www.digitalisland.net/coderedalert/.