What Does Code Red Do?
Propagation phase (days 1-19)
Target host scanned on TCP port 80
Attacking host sends a specially crafted HTTP GET request that exploits the IIS buffer overflow vulnerability (Index Service does not have to be running to be exploited!)
If successful, the worm starts running from RAM if the file c:\notworm is not found