bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

paywallTypes

createdDate

publishedDate

moreOnThisArticles

urlAlias

commentCount

authorLocations

authors

corrections

sponsorType

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

articleSpeeches

socialHeadline

headline

images

flag

firstTopic

glossary

flattenTypeIds

additionalInfoBoxes

quizIds

image

relatedLinks

relatedNewsletters

__typename

sponsor

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Lydia Zajc

A new, more malicious worm, named Code Red II, appears to have infiltrated large numbers of Microsoft Windows Web servers in Hong Kong, making them more vulnerable to attacks.

Code Red II wriggles through holes in the machines and drops software code that looks innocent but opens up all the machines and any information contained on them to potential intruders.

Experts say it is more virulent than a similar worm nicknamed Code Red that did little more than deface Web pages before seeking out other vulnerable systems.

Customers of Pacific Century CyberWorks' Internet service provider Netvigator have been among those hit by the worm.

A Netvigator spokesman said the firm had applied Microsoft's prescribed software patch to holes in its Web servers that run Microsoft Internet Information Services (IIS). However some Netvigator clients running their own servers, and using Netvigator only to access the Net, were hit, said PCCW spokeswoman Joan Wagner.

Netvigator provides a variety of hosting services, along with Internet access via broadband and phone lines to businesses and home users.

The worm has 'Code Red II' inserted in its strings, a reference to the other bug that already has attacked about 650,000 servers worldwide. However, some experts believe it is a new, mischievous program that simply preys on the same weaknesses in Microsoft's IIS Web servers.

The code already has spread through Hong Kong, the mainland, South Korea and Taiwan.

Code Red II is twice as active on Chinese-language servers - it sends out 600 searches for 48 hours, compared with 300 in 24 hours for the rest. The earlier worms attacked only English-language machines.

This worm's code runs only on a Windows 2000 system with a vulnerable server. A Windows NT-based server would crash when it tried to execute the code, experts said.

It also propagates by seeking out vulnerable systems and can even re-infect servers hit by the original Code Red, according to the Hong Kong Computer Emergency Response Team (Cert).

One information technology consultant said his Macintosh system was scanned repeatedly by networks of which Netvigator and other ISPs in Hong Kong and across the region were identified as the administrators.

Vince Loden, a Macintosh computer consultant and former IT manager, said Code Red was likely to have hit Netvigator clients.

A security report produced by Mr Loden's software by mid-Tuesday showed 824 scans from infected machines, starting at 12.46am on August 1. Dozens of IP addresses linked to Netvigator accounts were recorded, starting early on August 4.

Ms Wagner said in an e-mail that the clients 'were connected to a different server, and therefore we have no control over their security management'.

'Once the customer is affected, they may pass the worm to others - sending a lot of requests into the network and slowing down the network in general,' she added.

One IP address in Mr Loden's list was linked to Asia Online, which also has Net access and hosting services. Asia Online's vice-president of security, Bert Forbes, said that it was likely to have been from a client who had used the service but did not allow Asia Online to touch its box.

Web measurement site www

.netcraft.com said Microsoft's IIS was the second-most popular Web server worldwide. It was used by 26 per cent of machines tested in a July survey, against 59 per cent that ran the free Apache system.

Rob Hall, managing director at IT consultancy Global Link Consulting, spent 18 hours fighting the worm. His team had to put 12 Web servers online for a Taiwanese client, but the worm struck before they could download the Microsoft fix.

Anti-virus software managed to detect the presence of the bug but did not prevent infection, Mr Hall said.

Once the servers - which cost nearly HK$7,000 each - were online, they recorded 'horrendous' traffic when there should have been none, Mr Hall said.

His team finally managed to download the Microsoft patch, put it in place and eliminate the infections.

The new malicious code, which surfaced on Saturday, sparked two reports to the Cert, said consultant Patrick Li. People voluntarily register Net threats with the education and tracking centre, which recently issued a warning on Code Red II.

lydia@scmp.com



More virulent Code Red strain continues to prey on weaknesses in Windows Web servers