The author of the malicious CodeRed worm has been traced to a university in China, according to U.S. officials.

The chief technologist at the U.S. General Accounting Office (GAO) told the bipartisan House committee on government reform last week that he believes the worm to have originated from a university in Guangdong, China. But no details were released to back up the claim, and Keith Rodes, who delivered the speech, insisted that no one country or person was being treated as a prime suspect yet.

The CodeRed worm and its predecessor CodeRed II take advantage of a vulnerability in Microsoft's Internet Information Server (IIS) Web server software, and propagate across networks without any user intervention. The CodeRed II worm is more malicious, as it installs "back doors" on infected Web servers, allowing any remote hacker to execute arbitrary commands and take complete control of a system.

Speculation has previously appeared in the press that the name "CodeRed" referred to China, and was fuelled by the "Hacked by the Chinese" message that appeared on some attacked computers. But in fact the name came from the latest flavor of the favorite drink--Mountain Dew--of the researchers who discovered the virus, working at Internet security firm eEye Digital.

The U.S. has been investigating the CodeRed since the 19 July, when it infected more than 250,000 systems in just nine hours, according to the National Infrastructure Protection Centre (NIPC). An estimated 975,000 servers have been infected in total, according to Computer Economics--including the White House Web site.

By Wendy McAuliffe
ZDNet (UK)