Code Red keeps world guessing

Question over how much damage the worm will do

The Code Red worm computer bug has had no immediately visible effect on the internet, security experts say.

But they have cautioned that the impact of the worm's attack, which was expected to begin as the new month started at midnight GMT on Wednesday, might become evident later.

In a bid to limit the number of machines the worm can infect, law enforcement agencies, business groups and governments urged people to check if their computers were infected and to install software that could stop the malicious program taking them over.

Code Red worm

What is it?
Code Red is a malicious program that can scan the web by itself looking for computers it can copy itself to.

How does it work?
On certain dates, all infected machines are supposed to bombard the White House website with bogus data packets. For the rest of the month, infected computers will be scanning for uninfected machines. It also briefly replaces web pages with the text "Hacked by Chinese".

What effect does it have?
As yet unknown. The White House avoided the attack by changing the internet address of its website, but all those machines looking for new homes for the virus could cause some disruption.

How can it be stopped?
Infection can be avoided by using Microsoft patch programs. Software is also available to remove the worm from infected machines. Computers that are infected and scanning should be rebooted and then disinfected.

But a company that monitors website traffic, Keynote Systems Inc, has reported that traffic appears normal at some of the most-visited US websites, such as Yahoo, Google and Excite.

"If the proliferation of the worm and its resulting traffic was going to affect internet performance, it would surely be seen in these sites," Keynote spokeswoman Mary Lindsay said.

"So I guess it remains to be seen... Everything is quiet."

Millions of computer systems appeared well prepared, because of a free software patch from Microsoft.

"It's something like the Y2K bug, because everyone was prepared," said Ravi Venkatesam of at Atesto Technologies in California.

"Because everyone protects themselves, it turns out to be a dud. But that's a good thing because it means that everyone has protected themselves."

But US officials said more time was needed to determine whether the internet had managed to escape the worm's wrath.

"It will take a while for pertinent analysis to be conducted," FBI spokeswoman Debby Weierman said. "We're not going to get a definitive sense of what has transpired for a few hours."

Net is strong

The net is built to withstand disruption and the worm attacks only a fraction of all net-connected machines.

Governments have issued a warning about the worm because they fear that the increase in web traffic caused by all those copies of Code Red looking for vulnerable machines could severely disrupt the normal working of the net.

The worm reportedly spends two-thirds of every month looking for new machines to infect and the rest of the time using these machines to bombard the site of the White House, with bogus data packets. For the last few days of every month, it lies dormant.

The Code Red worm exploits vulnerabilities in versions 4.0 and 5.0 of Microsoft's Internet Information Server software that is bundled in with some copies of the Windows NT and 2000 operating system.

Defences

Microsoft has made available a patch that closes the loophole that Code Red exploits and many anti-virus companies have produced software that can find and remove the malicious program from infected machines.

Worm targeted the White House's website

Nevertheless, according to a California company, Computer Economics, Code Red has already cost about $1.2bn in damage to networks.

That makes it more destructive than the 1999 Melissa virus ($1bn) but less damaging than last year's Love Bug virus ($8.7bn). The cost of cleaning up and protecting systems from Code Red is estimated at nearly $740m.

Code Red differs from many recently successful viruses because it is relatively sophisticated and uses a variety of techniques to hide and do damage.

As the worm scans for up to three weeks of every month, the most compromised networks should soon become obvious. The scanning is unlikely to be co-ordinated because many net-connected systems have their internal clocks set to the wrong time.

For many, the only difference it might make to their web browsing experience could be to make web pages take longer to appear and perhaps delay the delivery of e-mail messages for a short while.