Red Alert: Preventing a Computer Worm
Code Red worm infected a number of Microsoft Windows systems at
Penn this summer. As people return this fall we expect a resurgence.
Code Red I uses your system to attack other computers. A later variant,
Code Red II, creates "back doors" on your system, allowing
anyone to view your passwords and read or delete your files. Code
Red II is extremely difficult to remove, requiring that you re-install
Windows. A worm is unlike computer viruses, which require some action
to spread. For example, a virus spreads when you click on an infected
e-mail attachment. Worms spread by themselves.
is preventable. Information Systems and Computing (ISC) reminds
everyone at Penn to protect their system by following these steps:
if your system is vulnerable. All PCs running Windows NT
(Server & Workstation) and Windows 2000 (Server & Professional)
are vulnerable. PCs running Windows 95, Windows 98, Windows
Millennium Edition or UNIX/Linux cannot be infected by either
Code Red version. Macintosh and UNIX systems cannot be infected.
the patch.To protect your system from Code Red, you must
install patches using instructions at: www.microsoft.com/technet/itsolutions/security/topics/codeptch.asp.
NOTE: Windows 2000 users must first install Windows
2000 Service Pack 2 before installing the above patches. To
install Service Pack 2, choose "Windows Update" from
the Start Menu, and follow the link for Service Pack 2.
out if your system has been infected. Norton Anti Virus
(NAV) will not prevent infection (you need the patch for that),
nor will it detect Code Red I. But it will detect Code Red II.
Install NAV and then run a full scan. To install and configure
NAV, see: www.upenn.edu/computing/product/desk/nav.html.
Also, if your system has been infected by Code Red II, you
will find a file called C:\Inetpub\scripts\root.exe on your
hard drive. (If you have drives other than C:, you should check
them as well).
your computer if it has been infected. To clean infected
computers, follow the instructions at: www.upenn.edu/computing/virus/codered/.
Infected machines must be reformatted and reloaded with original
software to remove the worm.
Disconnection: ISC will disable PennNet network ports for any
machines infected with Code Red.
in College Houses: Contact your information technology advisor
(ITA). See www.rescomp.upenn.edu/.
living off-campus, in Sansom East and West, and in the Greek houses:
Contact First Call (215) 573-4778 or visit the Computing Resource
Center (CRC), M-F from 1-4:30 p.m., at Suite 202 Sansom Place West.
and staff: Contact your local support provider (LSP). If you
don*t know who your local support provider is, consult www.upenn.edu/computing/view/support/.
Millar, University Information Security Officer, Data Administration
Almanac, Vol. 48, No. 3, September 11, 2001
September 11, 2001
Volume 48 Number 3