Code Red

Code Red is a computer worm first observed on the Internet in July 2001 that targeted Microsoft IIS web servers by exploiting the IIS Index Server/ISAPI .ida buffer overflow vulnerability (MS01-033, CVE-2001-0500), for which Microsoft had already released a patch on June 18, 2001. It propagated by scanning for additional hosts and sending a crafted request containing a long overflow string to vulnerable servers, executing with system-level privileges. Early variants were memory-resident, so rebooting removed the worm from memory, but unpatched systems were immediately vulnerable to reinfection.

The original Code Red worm spread during days 1-19 of the month, then from days 20-27 launched a denial-of-service attack against fixed targets including www1.whitehouse.gov / the White House web server IP, and then entered a sleep phase near month end. Its payload also defaced some websites with messages including "HELLO! Welcome to http://www.worm.com ! Hacked By Chinese!" / "Hacked by Chinese." Researchers Ryan Permeh and Marc Maiffret of eEye Digital Security analyzed and named the worm. A first version used a static random seed, which limited spread because infected hosts probed the same addresses repeatedly; a more virulent random-seed variant, commonly referred to as Code Red v2, began spreading around July 19, 2001 and infected more than 359,000 machines in under 14 hours, peaking at over 2,000 new infections per minute.

Code Red caused widespread global disruption across North America, Europe, and Asia. Beyond direct compromise of IIS servers, its massive scanning traffic caused broader infrastructure impact and reportedly crashed or rebooted some routers, switches, DSL modems, printers, and other devices with web interfaces when probed. CAIDA measurements cited infected hosts concentrated in the United States, Korea, China, and Taiwan, with infections also observed in .GOV and .MIL domains.

A related but distinct worm, Code Red II / CodeRedII, appeared on August 4, 2001 exploiting the same IIS flaw. Despite the name, the content states it was substantially different from the original Code Red family behavior: it installed a persistent backdoor enabling remote root-level access, used locality-biased scanning that favored nearby subnets, and unlike the original did not focus on web-page defacement or the White House denial-of-service routine. Code Red II was not memory-resident and required both patching and malware removal. The outbreak also prompted release of controversial self-propagating 'anti-worm' tools such as Code Green and CRclean, which attempted to patch and clean Code Red-infected systems without administrator consent.

High-confidence indicators and artifacts mentioned in the content include exploit requests to /default.ida with long encoded payloads, long sequences of repeated 'N' characters in Code Red exploit traffic, and web defacement text referencing worm.com and 'Hacked By Chinese.'