About Tariq Tariq Hilal Al

Code Red may have hit many servers in Oman

MUSCAT — Oman Telecommunications Company (Omantel) has hinted that there was a possibility that servers in Oman could have been hit by the Code Red Internet virus, which has reportedly struck again yesterday at 4am.

They noted that ‘business’ users were more likely to be affected than PC users.

If that was so, several hundred users would have been affected in Oman.

"There is a strong possibility of servers in Oman being hit by this ‘worm’ as most of them run the Microsoft software that it has been designed to damage," an Omantel spokesperson told the Times of Oman yesterday.

"Our information is that the worm attacks servers, not PCs. If so, this means that it is business users that are at risk rather than home PC users. We do not know exactly the number of servers in Oman that are running on vulnerable software, but the figure is probably several hundreds," the spokesperson said.

However, Omantel has not obtained any enquiries from any users. "However, this is not unexpected, as prudent companies (including Omantel), subscribe to international services that give warning of these viruses and will, therefore, have received warning directly and guidance on appropriate precautions."

The spokesperson advised that it was "always prudent to invest in reputable protective software against all types of virus and to ensure that it is kept current by downloading updates from the Web.

"Users should always maintain the habit of backing up important files regularly. Also, protect your e-mails by having your virus scanner scan through the incoming messages to detect viruses before they can infect your computer.

"Our Internet and computer specialists took appropriate action to protect Omantel servers from the virus as soon as we received warning of its existence. So far we have experienced no adverse effects but we continue to monitor the situation closely. It is too soon to say whether we have escaped ‘infection’".

Meanwhile, Tariq Al Barwani, local Internet expert, who also confessed experiencing problems with some local and international websites, also passed some valuable comments on Code Red and Sircam.

"Many servers worldwide connected to the Internet have been infected by the virus. Internet is a global medium. Any country connected/hooked to the network is open to the virus attach if patches have not been applied to server already. The patch can be downloaded from Microsoft’s official website," Tariq said.

The virus targets computer systems running Windows NT, Windows 2000 and IIS. "Therefore, most home users who are using Windows 95, 98 or ME will not be affected. Only Microsoft Web servers running IIS will be infected with this worm," Tariq noted.

According to him, the current spreading version of the virus does not destroy data, but overwhelm a server and slows large swatches of the Internet. In addition, the virus could damage smaller networks in Cisco System’s 600 series DSL routers. Consequently, the virus could cause the router to stop forwarding traffic.

"I personally experienced delay and stranger behaviour on some of the local and international websites because of the virus. According to genuine sources, computer systems not set to use English is likely to be immune to the virus."

Tariq noted that there are many users who use computers running Windows NT or Windows 2000 operating systems and Microsoft’s Internet Information Server (IIS) software version 4.0 or 5.0. "Besides, many of the reputed ISP’s and web hosting companies internationally use these services. Many local organisations host Internet websites with these ISPs."

He noted that he had received many inquiries from lay users.

Tariq noted that the Sircam virus could also be deleted by using the latest antivirus software. "A user can use the latest antivirus software with an updated definition of the virus. This would definitely clean the virus for you automatically. Updating the virus can be done free from the vendors’ website. Microsoft is also offering the patch on its official website too."

Tariq also provided a glimpse into the history of the virus:

The Code Red worm, named after a high-caffeine cola from Pepsi, exploits a known vulnerability in ida.dll, a component of the Index Server that provides support for .ida and .idq files. In Microsoft's IIS 4.0 and 5.0, ida.dll is subject to buffer overruns, allowing a malicious user to exploit rogue code and gain access to the server. Microsoft originally posted a patch for this vulnerability on June 18, 2001.

However, not all the affected IIS systems were patched. Within a few hours on July 19, the Code Red worm spread to more than 250,000 machines worldwide. The worm, believed to have started at a university in Guangdong, China, searches out ida.dll vulnerable systems by choosing random Internet addresses and defaces some infected websites with the phrase "Hacked by Chinese." The original outbreak of the worm was to have launched a denial-of-service attack upon www.whitehouse.gov, but the White House changed its numerical address and avoided the attack. Code Red continued to spread from July 20 to July 27 when it went dormant.

Variations of the worm have been seen in the wild and reported to BugTraq. In a rare move, the government is joining with Microsoft to encourage all users of Windows NT and 2000 to install the security patch. Users of the beta version of Windows XP should contact Microsoft directly for more information.

Back