Businesses Brace For Return of 'Code Red' Computer Bug

By Patrick Goodenough | July 7, 2008 | 8:09 PM EDT

London ( - Alerted by the FBI, British companies were bracing Tuesday for the return of the infamous Code Red computer bug, which experts have warned could paralyze the Internet and cause global havoc after it strikes later tonight (2400 GMT, or 2000 EDT).

It's believed the Code Red worm is already lying dormant on thousands of computer servers here and many more elsewhere, waiting for the arrival of August. It first struck earlier this month.

The worm operates by scanning the Internet, looking for insecure computer systems to infect.

When it finds a new home, the worm defaces a company's website with the words "Welcome to http://! Hacked By Chinese!" It may also instruct the computer to connect to the website of the White House in Washington, in an attempt to overload it with bogus data requests..

The White House earlier changed the IP address for its public websites to circumvent the problem.

Apart from the bug defacing individual websites, the process of scanning the Internet could cause widespread disruptions and slowdowns, experts fear.

Britain's Home Office has echoed the FBI warning to businesses in the UK, as well as in Australia and Canada.

Unlike a virus, a worm does not require a computer user to download a contaminated email or file in order to be affected.

Vulnerable servers are those using Microsoft Windows 2000 or NT, in conjunction with its Internet Information Server (IIS) software. System administrators who are concerned can download a security file called a "patch," available free on the Microsoft website.

Computers running Windows 95, 98 or ME are not affected.

But although the patch has been available for the past six weeks, UK virus specialist Graham Cluley said many companies had failed to install it, and they could get a "nasty shock" Wednesday when their site is defaced for the world to see.

"The harm this worm does, apart from denying you access, is to your reputation," said Cluley, of Sophos anti-virus. "Everyone who looks at your company's website will know that you don't take security very seriously."

Despite the "Hacked by Chinese" message, investigators have no idea where the worm originated, and they are urging anyone with information about the perpetrators to come forward.

At a press conference in Washington on Monday evening, Ronald Dick of the FBI's National Infrastructure Protection Center (NIPC) warned of the potential threat the worm could pose to the Internet.

He said installation of the security patch should be considered "a civic duty" for those running IIS server software.

The CERT Coordination Center, an Internet security facility at Carnegie Mellon University, said in a statement the worm was "a very real and present threat to the Internet."

"The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself," CERT explained. "Each newly-installed worm joins all the others, causing the rate of scanning to grow rapidly.

"This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems."

Patrick Goodenough
Patrick Goodenough
Spencer Journalism Fellow