Facebook Twitter

‘Code Red’ virus set to explode again

FBI issues warning so Web users can prepare themselves

SHARE ‘Code Red’ virus set to explode again

Officials, including the FBI, have taken the unprecedented step of warning about a recurrence of the "Code Red" worm computer virus, which infected more than a 250,000 machines within nine hours when it was unleashed in mid-July.

"We're taking it real serious as far as letting people know, so they can prepare themselves," said FBI special agent Bill Matthews. "For companies or servers running networks, it could be a real problem."

But the e-mail messages that are bombarding personal computers, slowing down systems and clogging in-boxes are not related to Code Red, which impacts Web site operators, not individual PC users.

That pesky virus, called the Sir Cam virus, prompted the Salt Lake City School District to shut down its e-mail system Monday, with plans to leave it down until late Wednesday, according to district spokesman Jason Olsen.

Also a "worm," Sir Cam spreads through e-mail. When an infected attachment is opened, the worm file randomly selects private documents and files and sends them to all the victim's contacts in the address book. It uses the document's name as the subject line, so the e-mail appears to be legitimate. And it hides itself in the system, attempting to restart the process every time an executable file is opened.

The Sir Cam virus, which has attracted much less public attention than the Code Red worm, carries a line in the message text of e-mail that's a variation on "I write this so that I may ask your advice" or "Here is the information that you requested." The attachment has a double-extension (as in .com.pif), which is not a legitimate extension. Anything with a double extension should not be opened, according to anti-virus experts.

Sir Cam is pesky but doesn't actually damage the computer. Officials are more concerned about the destructive potential of the Code Red worm, expected to reappear Tuesday evening. Last week, the Pentagon shut down its Web servers temporarily after it was infected.

The worm exploits a flaw in Microsoft's Internet Information Services Software. It can also damage small networks that use a certain type of Internet router, made by Cisco Systems.

With most computer viruses, the computer operator at least has to do something, like open an attachment, to activate it. That's not the case with Code Red, Matthews said. "This worm will browse the Internet and look for computers that are on and susceptible to it. Then it goes out and installs itself. There's no action by the user," and that makes it more problematic.

The worm program was written to spread to as many computer systems as possible during the first part of its cycle, then all the infected computers would bombard the White House Web site address. The White House thwarted earlier attempts by changing its numeric Web address.

Davis School District was affected by the Code Red virus last week, but only on four or five machines. DSL routers were affected. The virus didn't do any damage, and district technicians had to simply reboot the computers.

"We've since patched that," district spokesman Chris Williams said. "We don't really anticipate any further problems tonight."

How serious Code Red is subject to debate. McAfee.com and BugNet issued stern security bulletins about the threat. Panda Software warns that it could bring "Internet meltdown." But others, like Kaspersky Lab, appear less concerned. Kaspersky issued a release Tuesday aimed at calming some fears.

"We don't exclude the possibility of a repeat (Code Red) epidemic; however, the cases of infection by this worm will be sporadic and the scale of spreading won't be anything like the first series of infections," according to Eugene Kaspersky, head of anti-virus research for Kaspersky Labs.

The lab said most systems administrators have now installed the Microsoft patch and updated their systems' anti-virus protection. Those that haven't should, Matthews said.

E-MAIL: lois@desnews.com