[FishKid]

BEWARE! back up your harddrives! After this one hits you you need to start from scratch! It messes your pc up bad! your PC slows down about 50%! your internet connection is drasstically comprimised!

I've been hit, and now it take about 5 min to start the pc up! and it freezes and crashes alot!

one simptom is you have a cable and the activity light is constantly lit up!

I just got an email from my ISP and everyyone using it has been hit!

mark

[ravenmore]

Fishkid,

The code red virus lives resident in your RAM only - if you simply reboot your computer you'll get rid of it. Also, it only affects computers running IIS which is typically servers, although I have seen some apps that require IIS. The patch from Microsoft eliminates that threat, though.

It can affect the speed of the internet, but for EVERYONE. It causes each machine it infects to scan for more machines running IIS to infect. All this increased network traffic could cause slow downs on the internet.....

-Mike

[FishKid]

Ive rebooted constantly for the past hour or so, it is soo slow that it is not funny, wierd thing is im not running NT or ME.. It took me about a minute to lot this page, that is devastatingly slow to what I am used to!

mark

[ravenmore]

well, the only possibilities I can think of are that either you have another virus on your pc OR the code red virus has infected the servers of your ISP which is causing a dramatic slow down for everyone on their network. Make sure your anti virus software is up to date and do a scan on your hard drive.

-Mike

[icemark]

Code red targets Win NT and 2000 users. Not Mac, and generally not Win 9X, or WinME (unless for some strange reason you have it set up as a server). It really is a server virus and as Ravenmore says it targets computers running IIS.

And after all the news about it you would think that your ISP would have downloaded the Patch from MS by now.

If it is running on your HD it sounds more like your ISP sent another (read different) virus to everyone or your 'puter has been hacked and is running a Denial of Service attack program.

Here is a hint: FIREWALL and VIRUS SOFTWARE are manditory if you are using cable!

Here is more on the virus from McAfee:

Quote:

This threat only affects Microsoft Windows 2000/XP running web servers. The worm does NOT affect desktop systems or pure file servers.

Your environment is at HIGH RISK if:

1) You have Microsoft IIS server installed with Windows 2000/XP.

2) You have NOT updated this server with the latest patch from Microsoft.

The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).

THIS VIRUS EXISTS IN MEMORY ONLY (however, the .C variant does write a trojan program to the hard disk).

It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect.

This is a rewrite of the W32/CodeRed.a.worm This variant does not deface web pages or contain a DDoS payload. It uses the atom "CodeRedII" for self-recognition and thus does not reinfect already infected systems.

It checks whether Chinese (either Traditional or Simplified) is the language installed on the system. If it is Chinese, it creates 600 threads and spreads for 48hours. On a non-Chinese system it creates 300 threads and spreads for 24 hours. After that, it reboots the system. On 12am Oct 1, 2001 GMT it reboots the computer, thus clearing the worm portion from memory. However, since not all clocks are set correctly, the computer will almost immediately get reinfected and reboot the computer again and again and again. The worm tends to probe nearby systems with probability 50% (4/8) - same Class A net (255.0.0.0) 37.5% (3/8) - same Class B subnet (255.255.0.0) 12.5% (1/8) - random

It tries to copy %windir%\CMD.EXE to the following files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.

It also tries to create a backdoor trojan (detected as W32/CodeRed.c trojan with the 4152 DATs) which it saves to c:\explorer.exe and d:\explorer.exe. This exploits the "Relative Shell Path" Vulnerability, which states that Windows will run c:\explorer.exe before %windir%\explorer.exe. So, the trojan can be run where EXPLORER.EXE is called.

On the next reboot, the trojan then calls the original explorer.exe. The trojan adds a value to the following registry key, to disable local file system security:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\SFCDisable

Two values are added to the following key to enable a remote attacker to have access to the C: and D: drives, via a web browser:

HKLM\SYSTEM\CurrentControlSet\Services\
W3SVC\Parameters\Virtual Roots.

Also under this key, the /SCRIPT and /MSADC values are configured to allow read/write access to the paths associated with these values.

These changes allow a remote attacker to carry out shell function on the local system by sending commands to it via a URL.

Finally, it goes to sleep and remodifies the registry keys every 10 minutes.

Indications Of Infection:

Presence of the files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.

[MarkS]

God I love the Mac.

[icemark]

Macs get virus too... just more people use PC, so there are greater numbers of slackers writing viruses for PC.

http://www.faqs.org/faqs/computer-virus/macintosh-faq/

Macros and trojans are the most common, since most Mac people think they are immune. Too bad most Mac users use PC software for word processing (such as Word).

My favorites for Macs are the AutoStart worm versions, as they can contain programs that are hidden and do not have seen file types. So you could download one and have it run and you would never know where or when you got it.

And Macs online are by far the easist to hack into for Denial of service attacks, because no one ever uses firewalls with Macs.

You may want to get some software MarkS:

http://www.symantec.com/nav/nav_mac/features.html

Heck there are even viruses for UNix/Linux now.

[FishKid]

and I do have a fire wall! it catches packets that are sent to my computer constantly, I think someone has hacked into my network, with three PC's on it!

mark

[schrocat]

FK,

What FW software are you running?

Just curious.

[icemark]

so Mark do you have:

Windows NT or 2000 or XP?

and are these files:

c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe

on your 'puter?

Betcha you don't. Betcha you have something else.

I am also wondering what you are using for a firewall and if you are using a software firewall has it been installed on all three 'puters?

[FishKid]

Im running Inoculate IT, and Mcaffee (sp?) on all 3 computers, and most of the time, only 1 is on. No, I have windows 98. But a hacker friend of mine has figured it out! the virus installs a program that unzips itself, and sends out packets to other 'puters at around 1k a sec. and it spreads like the plague, then another one of the same programs is on your pc running on Ram, and sending out more and screwing your connection up.

mark

[icemark]

Again it sounds like there is something else than code red on your 'puter.

If Mcaffe didn't catch it, then contact them atnd tell them what is happening. they always want to know about new bugs.

[wgscott]

The code red worm can also infect HP laser printers if they are on a network. It got mine. In general macs are not always safe from viruses written for microsoft products. For example, if you run microsoft word on your mac, you probably will eventually get a word macro virus, especially if you down-load word documents from email or web sites. These can also be propagated in pdf files made from microsoft word files.

But for those of you who insist upon operating systems written by criminal scofflaws, please please keep using microsoft products. The fewer people who have macs, the safer I will be.

[FishKid]

well, my PC was down for 2 days, because the virus completely cripled it. We had to start from scratch, it took 2 days of cussin at it to get it back on!

mark