'Code Red' Virus Aims at White House Web Site

By Elinor Mills Abreu

LOS ANGELES (Reuters) - A new Internet virus nicknamed ''Code Red'' appears to be programming thousands of computer drones to launch an all-out cyber attack on the White House Web site, security experts said on Thursday.

The Code Red worm appears to instruct infected computers to launch a ``denial of service'' attack on the government Web site (www.whitehouse.gov), of the kind that took down major Internet sites such as Yahoo! Inc. (NasdaqNM:YHOO) and eBay Inc. (NasdaqNM:EBAY) in February last year, analysts said.

The worm defaces English-language Web sites hosted by the computers it infects, displaying the slogan ``Hacked by Chinese!,'' the security experts said. The origin of the virus was not clear.

The White House Web site, which is the home page for the Bush Administration, was still accessible as of Thursday evening.

White House spokeswoman Jeannie Mamo said: ``The White House has taken preventive measures aimed at minimizing any impact of ... the Code Red worm.''

A denial of service attack is intended to render the target site inaccessible to legitimate traffic by swamping it with requests for information.

The Code Red worm could also slow overall Internet traffic by flooding the Web with message traffic from infected computers, according to Marc Maiffret, chief hacking officer at eEye Digital Security, a computer security company based in Aliso Viejo, California.

Maiffret estimated that 12,000 computers around the world had been infected with the Code Red worm.

A second estimate issued by the System Administration, Networking and Security Institute, a security research organization in Bethesda, Maryland, put the number of infected computers at about 200,000.

Infected systems are likely to see their network performance degraded as a result of the scanning activity of the worm, a statement issued by the Computer Emergency Response Team (CERT) at Carnegie Mellon University said.

The Code Red worm exploits a vulnerability in Microsoft Internet Information Server 4.0 and 5.0 and affects computers running Windows NT 4.0 and Windows 2000, CERT said.

Maiffret and his colleagues discovered the vulnerability in June and Microsoft subsequently released a patch, which would prevent a computer from being infected with the worm, he said.

``Even if you have done everything right your network connection could still be taken down because of the amount of data flooding you get from all of the other guys who hadn't applied patches and were infected by this worm,'' Maiffret said.

A second worm discovered this week, called W32.Sircam, sends copies of itself to all email addresses in an infected computer's address book and can delete files and directories, fill up the hard disk and send files out to the Internet, according to statements released by Symantec Corp. (NasdaqNM:SYMC) and Network Associates Inc.(NasdaqNM:NETA)