** Virus Alert: CODERED.A **

Description: This worm uses a remote buffer overflow vulnerability in Internet Information Service (IIS) Web Servers that can give system-level privileges to a remote user, and thereby compromising network security. This worm has two trigger dates and two payloads. The first payload is triggered when the current system date is between 20 and 28.  The worm executes a distributed denial of service attack (DDoS) on a Government Web site (www1.whitehouse.gov). The second payload is triggered if the current system date is less than 20. The payload then executes and generates random IP addresses and sends copies of itself through port 80.  Details: This worm contains a download command that accesses the Indexing Service (IDA) for the Internet Server API (ISAPI) with parameters greater than the allowed size, and arrives in the packet data. The IIS
(Internet Information Service) attempts to process the bulk of the data, which then causes buffer overflow.

The data contains the preferred address used to replace the system instruction pointer during the overflow. It also contains an executable binary code known as the shell code. The buffer overflow allows the execution of the shell code with system level privilege.

Should you receive an e-mail that contains this subject header, message, or the attached file, DO NOT OPEN THE ATTACHMENT - PLEASE DELETE IT IMMEDIATELY.

This virus only attacks computers using Windows NT Server or Windows 2000 Server.