Code Red Turns CodeGreen

A German programmer released source code for a new worm called CodeGreen, which he designed to combat the Code Red worm. The Code Red worm infects unpatched Microsoft IIS systems by exploiting a vulnerability related to index services. Once the worm infectes the IIS systems, the worm spreads rapidly. CodeGreen works by running on a system and waiting for Code Red to attack that system. When CodeGreen detects an attack, it launches a counterattack that removes Code Red and installs a copy of CodeGreen on the attacking system.

Once active on a system, CodeGreen takes several steps to eradicate Code Red. According to the program's author, who goes by the name Herbert HexXer, CodeGreen establishes a signature (called an atom) in the system's memory in the same way Code Red establishes its signature. This signature prevents Code Red from reinfecting the system, because the system appears to be infected already when, in reality, it's not. CodeGreen also attempts to remove the root.exe Trojan horse and drive mappings that Code Red installed. CodeGreen next determines the system's language and attempts to download and install the Microsoft patch (MS01-033). The CodeGreen worm also scans for other systems that Code Red has infected and attempts to patch those systems also. Similar to Code Red, CodeGreen is memory resident only, which means that rebooting the system removes the worm.

HexXer released the CodeGreen code on the Vuln-Dev mailing list over the weekend. HexXer said that although he's successfully tested CodeGreen on German language systems, he's uncertain whether his code works on non-German language systems.

In response to HexXer's post to Vuln-Dev, another German, Markus Kern, also posted source code for a program called CRclean that eradicates the Code Red worm. Kern said that his code is a worm that spreads passively to any system that tries to send Code Red. Once active on a system, Kern's code removes the Code Red worm and waits for further attacks. Kern published the CRclean code with a broken spreading mechanism, which might help ensure that less-experienced programmers won't misuse Kern's code.