Editing Code Red (computer worm) (section)

===Worm payload ===
The payload of the worm included:

* [[Website defacement|Defacing]] the affected web site to display:

 HELLO! Welcome to <nowiki>http://www.worm.com</nowiki> ! Hacked By Chinese!

* Other activities based on the day of the month:<ref>{{cite web |title=CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL |url=http://www.cert.org/advisories/CA-2001-19.html |work=CERT/CC |date=July 17, 2001 |access-date=June 29, 2010}}</ref>
** Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet.
** Days 20–27: Launch [[denial of service]] attacks on several fixed [[IP address]]es. The IP address of the [[White House]] web server was among these.<ref name="caida" />
** Days 28-end of month: Sleeps, no active attacks.

When scanning for vulnerable machines, the worm did not test whether the server running on a remote machine was running a vulnerable version of IIS, or even whether it was running IIS at all. [[Apache HTTP Server|Apache]] access logs from this time frequently had entries such as these:

{{pre|1=GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0}}

The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm.