Code Red: Day TwoCode Red: Day Two

The CERT Coordination Center says it is hoping the worst of the Code Red worm's infection phase is over. "We're cautiously optimistic that the impact of the infection stage of this variant has been minimized," says Jeff Reed, a technical staff member at the center.

According to Reed, several companies, large and small, have reported that their servers have crashed because of the worm's extensive scanning for new Windows NT and 2000 servers to infect. Reed says the current estimate puts the number of infected systems at 200,000. Meanwhile, the SANS Institute is reporting that as of 9:00 a.m. Eastern time, roughly 239,000 servers have been infected.

The number of Code Red probes per hour that SANS is tracking seems to have stabilized at under 60,000 an hour, according to the institute's Incidents Web site.

As in the first version, the worm is set to switch from its spread phase to its attack phase on the 20th of each month. "We're also now seeing what are believed to be newer variants of the worm," says Reed. "We're in the process of analyzing these and will be issuing assessments on the new versions as they develop."

Code Red is currently in the infection stage of its life cycle, in which it scans the Internet for computers that haven't been patched. In the action or attack stage, the worm will launch a distributed denial-of-service attack, programmed to begin on Aug. 20.