Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
A nasty spinoff of the Code Red worm began to wiggle across the Internet early Saturday, scanning quickly and furiously in a search for vulnerable computers to infect.
"Code Red II" is far more dangerous than its namesake, which infected other machines so that it could then use them to attack the White House website.
If the new worm infects a system it installs a "back door" into that system, allowing a malicious hacker to remotely connect to and control any Code Red II infected Web servers.
The contents of any infected Web server can also be viewed by anyone with a bit of technical know-how and a standard browser.
"What's particularly troublesome about this new variant of Code Red is its ability to open up an infected computer system completely to the Internet," said Ian Hameroff, business manager of security solutions at Computer Associates. "This means an intruder could browse through and even download files from an infected Web server."
Code Red II can only infect systems running the Microsoft Windows 2000 operating system, and only if Microsoft's Internet Information Server (IIS) -- a Web server application -- is also installed and active. If a system has already been patched against the original version of Code Red, it cannot be infected by Code Red II.
Computer Associates classified the worm as a medium-to-high risk on Sunday. Symantec also classified the worm, which the company refers to as Code Red v3, as a high threat.
Code Red II's debut was marked for many by the furious flickering of their cable modem's data light as the worm scanned the Internet for vulnerable computers to infect.
A modem's data light flashes when data is being transmitted, or is attempting to be transmitted, to one computer from another computer.
Cable modem users seemed to be hardest hit by the new worm's scanning activity, with many reporting a steady stream of two or more attempts per minute to access their computers over the weekend.
"The data light on my modem began blinking on and off non-stop starting on Saturday evening," said Keith Collins, a website designer. "My firewall logged 2,072 attempts to access my machine from late Saturday afternoon into early Sunday morning. I normally see only about 10 attempts, at the most, in a similar time period."
Cable modem users were hit hard due to the way the worm chooses its scan targets.
A computer infected with Code Red II scans other computers that are located in the same "address space" as the infected machine. So an infected machine will attempt to attack all the other users of a particular Internet service provider, or on other machines in the same network.
"We're getting a huge amount of calls and online requests for information and help with this thing. It's a pretty intense bombardment, judging by the amount of calls we've gotten," said a tech support worker from Time Warner's Road Runner service.
He said there had been no impact to Road Runner's service quality.
Many of the reported infection attempts appeared to be originating from accounts at Excite's@Home service. Calls to tech support were referred to the public relations office, which was closed for the weekend.
Security experts speculate that the worm may be being spread by home users who are unaware that they have Microsoft's IIS Web server software running on their computers, or who have somehow managed to miss the media blitz that accompanied the original worm's first and second infection cycles.
In an attempt to alert people that their machine has been infected and is spreading the Code Red II worm, SecurityFocus, a computer security news site, began collecting firewall logs that point to infected machines so that they can notify the computers' owners.
Security Focus's ARIS Incident Analysts were the first to spot the new worm early on Saturday and worked with eEye Digital Security to analyze the worm's features.
Marc Maiffret and Ryan Permeh of eEye Digital Security said in a post to Security Focus's BugTraq archive that Code Red II is not a true variant of Code Red, but is instead a "completely brand new worm" that only uses the same method of infection as the original.
Other security firms said that Code Red II is indeed a variant.
After infecting a machine, Code Red II checks to see if another copy of itself got there first. If so, the new copy kills itself; only one Code Red II worm can be active in the system at any given time.
Rebooting a machine will clear it of the worm. But to completely clear an infected system, a file named "root.exe" in the script and msadc directories under the IIS webroot need to be deleted, as well as a file named "explorer.exe," which is located in the root of the machine's C drive, and the D drive if that drive is present on the infected machine.
After removing these files, the computer should then be rebooted, according to the Code Red II analysis reports from the ARIS project.
Symantec is offering a free tool called Symantec Security Check to help people to determine if their computers are vulnerable to the worm.
People running Microsoft's IIS server and Windows 2000 or NT should apply the Microsoft patch that protects systems from all currently known variants or spin-offs of the Code Red worm.
