Virus warning: Code Red variant not a patch on the original

Security experts have said users have little cause for alarm with a variant of the destructive Code Red worm doing the rounds.

Code Red.F, which differs from the original Code Red by only two bytes, began spreading on Tuesday, according to reports from security software makers Symantec, McAfee and F-Secure. The new variant is detected by existing virus signatures for Code Red, according to the companies, and is blocked by patches for Microsoft's Internet Information Server (IIS), which most administrators installed before or during the original Code Red outbreak.

The original Code Red wreaked widespread havoc during the summer of 2001, infecting more than 350,000 web servers running IIS. The infected servers were used to spread the worm and to launch a denial-of-service attack on the main website for the White House.

The first sequel to Code Red also caused widespread damage, but subsequent variations on the worm packed only a minor punch, largely because the IIS hole the worm exploits had already been patched.

According to a security bulletin from Symantec, the main difference in Code Red.F is that it removes the expiration date that prevented the original worm from activating if the year was later than 2001.

Most security firms classified the new variant as a moderate threat, with negligible infections reported so far.

Kevin Haley, group product manager with Symantec Security Response, said the company saw a brief surge of infections in Europe on Tuesday night, but activity has been minimal since then.

"It looks like people learned a lesson with the first Code Red," he said. "They've updated their patches for IIS and kept their [antivirus] definitions current."