Code Red offshoot packs mild punch

Security experts said Wednesday there was little cause for alarm from a minor new variant of the destructive Code Red worm that began circulating this week.

Code Red.F, which differs from the original Code Red by only two bytes, began spreading Tuesday, according to reports from security software makers Symantec, McAfee and F-Secure. The new variant is detected by existing virus signatures for Code Red, according to the companies, and is blocked by patches for Microsoft's Internet Information Server (IIS), which most administrators installed before or during the original Code Red outbreak.

The original Code Red wreaked widespread havoc during the summer of 2001, infecting more than 350,000 Web servers running IIS. The infected servers were used to spread the worm and to launch a denial-of-service attack on the main Web site for the White House.

The first sequel to Code Red also caused widespread damage, but subsequent variations on the worm packed a minor punch, largely because the IIS hole the worm exploits had already been patched.

According to a security bulletin from Symantec, the main difference in Code Red.F is that it removes the expiration date that prevented the original worm from activating if the year was later than 2001.

Most security firms classified the new variant as a moderate threat, with negligible infections reported so far.

Kevin Haley, group product manager with Symantec Security Response, said the company saw a brief surge of infections in Europe on Tuesday night, but activity has been minimal since then.

"It looks like people learned a lesson with the first Code Red," he said. "They've updated their patches for IIS and kept their (antivirus) definitions current."