Named CodeRed.F, the variant is being categorized in different threat levels. Symantec Corp. classifies it as a minor variant, while F-Secure has ranked it as a Level 2 alert.
The variant only differs from CodeRed II by two bytes, according to virus trackers at Symantec. CodeRed II was designed to reboot a system if the year was greater than 2001. This is no longer the case. CodeRed II stopped spreading at the end of 2002. The change in CodeRed.F enables it to spread forever, according to analysts.
The worm installs a backdoor to infected web servers, enabling any web surfer to execute commands on the server.
The worm scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 web servers, and then uses a buffer overflow vulnerability to infect remote machines. CodeRed.F creates a file detected as Trojan.VirtualRoot, which gives the hacker full remote access to the web server.
Symantec is recommending that anyone running Microsoft IIS Server and Windows 2000 should download and install the security patches for both.
''This variant will reinfect unprotected IIS Web servers, most of which were already infected earlier by CodeRed II,'' says an F-Secure spokesman in a virus alert. ''We're not expecting this to become as big as it was in 2001... Since CodeRed.F still uses the old exploit to infect IIS Web Servers, the number of vulnerable machines is not too high. Most of them are forgotten web servers or home machines without firewalls.''
The new variant has been spreading in the wild since March 11 -- more than 18 months after the original CodeRed worm spread across the world faster than any worm before it.