Code Red Moving at Snail's Pace

N E W   Y O R K, Aug. 2, 2001 -- The Code Red worm continued to crawl around the Internet today, but computer experts say its pace has become, well, sluggish.

"We are cautiously optimistic that the impact of the infection stage of this particular variant of the Code Red worm, which we will call Version 2, has been minimized," said Jeff Reed, a staff member at the CERT Coordination Center of Pittsburgh's Carnegie Mellon University. "However, not all harm has been averted."

Although estimates of Code Red's spread vary, it appears that more than 200,000 computers worldwide have been infected by it in the last two days, a number approaching the extent of the worm's scope when it first surfaced in July.

Still, Reed said, the speed of Code Red's proliferation had decreased markedly today: "Although we continue to see an increase in the number of computers that are being infected by Version 2, the rate of increase is slowing down."

How to protect your computer from Code Red

Pentagon Shut Down Sites

On Wednesday evening, the Pentagon was forced to shut the public out of many Defense Department Web sites in response to the worm.

At the same time, a number of Defense Department sites — including the DefenseLINK gateway — were open.

Code Red was first detected July 19, when it infected an estimated 300,000 computers using Microsoft's Windows 2000, Windows NT or Internet Information Server version 4.0 or 5.0., and launched an attack on the White House's Web site.

That attack was foiled, although the Pentagon also temporarily shut down its Web sites the next week to install protection against the worm.

Code Red then went into a period of dormancy, but began infecting computers again after its reactivation on Tuesday at 8 p.m. ET.

The damage wrought by Code Red has been limited in part because computers using Microsoft's Windows 98 or Windows 95, or using any of Apple's Macintosh operating systems, are not vulnerable to the the worm, which is intended to create outages on major Web sites, slowing down Internet traffic in the process.

Microsoft has also provided a security patch that can be downloaded from its Web site and used to protect against Code Red. An estimated 1 million people have downloaded the patch so far.

White House Clean

The White House Web site has been unaffected by the reemergence of the worm, and there have been relatively few reports of disturbances in Internet traffic due to Code Red.

"We have been monitoring it closely," White House spokesman Ari Fleischer told reporters on Wednesday. "At this time there has been no impact on the White House."

But while the overall effect of the worm has not been catastrophic, computer security experts have been cautious about it.

"There are pockets of this worm in the wild right now," says Jerry Freese, director of intelligence at Vigilinx, a digital security solutions provider in New Jersey monitoring Code Red.

Freese points out that with an estimated 8 million servers in operation worldwide, the majority of vulnerable machines in use have still not been protected against the worm.

On the 20th Day, Code Red Attacked

Code Red is programmed to do its damage over an extended period of time. It operates in two phases over a 20-day cycle. For the first 19 days, the worm spreads onto unprotected servers. From each of those, it attempts to latch on to 99 new servers. On the 20th day, the computers carrying the worm are instructed to bombard the target Web site.

Two versions of the Code Red worm have observed. Both take advantage of a security flaw in some versions of Microsoft's network servers, and instructs the servers to bombard government Web sites with streams of data. The company first announced both the flaw and the patch to fix it on June 18.

In at least one of the versions, the worm installs the phrase "Hacked by Chinese!" on the attacked Web sites. However, investigators have emphasized that does not necessarily mean the worm was written in China.

Ronald Dick, director of the FBI's National Infrastructure Protection Center, has said that Code Red should not damage individual computers in the way some widespread viruses can.

"The damage from this particular worm is not necessarily from the intrusion into the systems itself," said Dick. "It doesn't go in and destroy files, it doesn't go in and alter data that we're aware of. Basically what it does is take advantage of the vulnerability of a Microsoft Internet service software and then launches on a pre-scheduled time service attack on a particular target."

Meanwhile, cyber-security analysts say Code Red could produce some offspring.

"This has brought some new techniques in as far as writing a worm," says Simon Perry, vice president of security at software firm Computer Associates. "You will see copycats that use this as a propagating technique."

As Marty Lindner of the CERT Coordination Center concludes: "I think it's safe to assume that Code Red is the first of a new breed, and there will be more like it."

ABCNEWS' Peter Dizikes contributed to this report.