Research Computing Center: Learning Center

Home

About Us

Hours Directions Employment Operations Employee Directory Contact Us Projects Committee Representation

Resources

UNH Email Aliases Printers Passwords

Networking

Security SSH Clients Backups & Restores Statistics EROS Tapes

Learning Center

Documentation Hoaxes Spam Viruses

Worms

A worm is a computer program that has the ability to copy itself from machine to machine. Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. The Code Red worm for example, replicated itself over 250,000 times in approximately nine hours on July 19, 2001.

Worms use up computer time and network bandwidth when they are replicating, and they often have some sort of evil intent. The worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt.

The Code Red worm slowed down Internet traffic when it began to replicate itself however, not nearly as badly as predicted. Each copy of the worm scans the Internet for Windows NT or Windows 2000 servers that do not have the Microsoft security patch installed. Each time it finds an unsecured server, the worm copies itself to that server. The new copy then scans for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.

The Code Red worm is designed to do three things:

Replicate itself for the first 20 days of each month
Replace Web pages on infected servers with a page that declares "Hacked by Chinese"
Launch a concerted attack on the White House Web server in an attempt to overwhelm it

The most common version of Code Red is a variation, referred to as a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001. According to the National Infrastructure Protection Center:

The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permits the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. The NIPC has determined that the trigger time for the DOS execution of the Ida Code Red Worm is at 0:00 hours, GMT on July 20, 2001. This is 8:00 PM, EST.

Upon successful infection, the worm waits for the appointed hour and connects to the www.whitehouse.gov domain. This attack consists of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov (198.137.240.91).

The U.S. government changed the IP address of www.whitehouse.gov to circumvent that particular threat from the worm and issued a general warning about the worm advising users of Windows NT or Windows 2000 Web servers to make sure they have installed the security patch.

Back