NOTE: New variant of Code Red (called Code red v.3) worm has been detected. Click here for more info

Q. What is a worm?
A. It's a malicous computer program virus that spreads through computer networks. It's like a virus but uses network connections to move from computer to computer. See the Webopedia definition

Q. Who is susceptible to the Code Red Worm?
A. This worm is aimed at Windows NT 4.0 and Windows 2000 computers and does damage on Web sites that use this technology.It does not affect Windows 3.1, Windows 95, Windows 98 or Windows Me computers. Specifically, it affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000 that run IIS 4.0 and 5.0 Web servers.

Q. How do I tell which version of Windows is on my computer?
A. The easiest way is to click the START button and see what is written vertically along the side of the popup menu.

Q. Is Office 2000 the same as Windows 2000?
A. No, Office 2000 is the Microsoft suite that includes Word, Excel, Powerpoint and more productivity tools. It has nothing to do with Windows 2000 It is not vulnerable to the the Code Red worm.

Q. What does the Code Red worm do?
A. It launches a denial of service attack on Web servers. That means it transmits junk data at another server in order to overwhelm it. It is triggered to happen between the 1st and 20th of every month. These attacks go dormant after the 20th until the 1st of the next month.

Between the 20th and 28th of the month, worm attempts a Denial of Service attack on a particular IP address (an IP address is like a unique phone number for each computer on the Internet) by sending large amounts of junk data to port 80 (Web service) of 198.137.240.91, which was www.whitehouse.gov.

It also posts the following message on a Web site on the affected server:

Welcome to http:// www.worm.com !
Hacked By Chinese!

Q. I heard it attacks the Whitehouse? What happened with that?
A. Code Red is designed to attack the address 198.137.240.91, which was the numeric Internet address for www.whitehouse.gov. This IP address has been changed and is no longer active.

Q. What is the Code Red II worm?
A. Code Red II is a variant on the original worm that creates a backdoor in a server so that a hacker can easily access the server and do damage if he or she chooses. To fix the infection, reboot the server and install the Microsoft patch, as you would with original worm. If the patch is already installed, your server is not vulnerable to this new strain.

More information here:
Incidents.org - Tech info on Code red II
News.com: "Code Red - the worm returns"
ZDNET: "New Code Red: Worse than before?"
Symantec Anti Virus Center - threat analysis

Q. How can a home or small business user be affected if they don't run Windows NT 4.0 or Windows 2000?
A.If you have a Web site that is hosted by a third party using these technologies, you are vulnerable. Your Internet hosting service, where your web site is hosted, should be taking measures to protect its servers. This worm could also cause performance issues on the Internet. So you may find a slow down on some days when the worm is launching massive attacks.

Q. Where does it attack from?
A. When it finds a computer that it can infect, it launches a Denial of Service attack on 100 random Internet servers. If it infects your computer, then your computer will attack other computers.

Q. How can I check to see if I am infected?
A. Symantec has tools for this. Corporate users click here for an online scan or click here to download a tool. Both are free.
Home users can click here for an online scan or click here to download a tool

More info at: http://www.symantec.com/avcenter/venc/data/codered.worm.html (Scroll down to the "Additional Information" section.)

Q. Is there a fix?
A. Yes, first reboot you computer. The worm does not affect a system's files. It goes into the server's memory and runs from there. Therefore if you reboot your computer it will be wiped off your system.

Q. How do I stop the infection from happening again?
A. Protect your Windows NT 4.0 and Windows 2000 computer by installing a patch from Microsoft. Info available here. Click here for the Windows NT patch Click here for the Windows 2000 patch. It does not affect Windows 3.1, Windows 95, Windows 98, Windows 98 Second Edition or Windows Me (Millenium Edition).

Q. Can a computer be infected more than once?
A. If you install the Microsoft patch, then no. If you reboot to kill and exisiting infection and don't repatch then your machine can be infected again. An unprotected machine can have more than one worm in it as the worm runs as a process in memory and memory by design runs multiple processes (or tasks) at once.

Q. How many infections of the worm have there been to date?

A. This number changes hourly, but see the real time graphs at Incidents.org.

Q. Where can I find more information?
A. Here are some links to more information about the Code Red worm:

• ZDNet
• Symantec
• Microsoft patch
• CNN story
• NEWS.com

Q. Where can I get further help?
A. See item #1 of our Emergency Help page to get a live person to help you.

Q. Do I need an anti-virus program?
A. While this worm is targeted at Web servers on Windows 2000 and Windows NT 4.0 computers, the bulk of home users will not be affected by the worm, however it's a good idea to ensure that you have an anti-virus program installed and up-to-date at all times as new viruses appear every day. Click here to buy Norton AntiVirus now from Amazon.com.

If you already have an antivirus program, update your virus signatures first by going to your anti-virus program maker's home page (www.norton.com, www.mcafee.com, trendmicro.com) or using the update command inside the program, usually under the Help menu.

If you want to scan your hard drive now using a Web utility, Click here to use McAfee On-line. This requires a a credit card payment of $40 US ($60 Canadian) for the year. Alternately, TrendMicro offers a free scan using a Web utility called Housecall, though it does not offer ongoing protection. Click here to try it.