If it is updated to make it more efficient we could be in for a lot more trouble

Kenneth De Spiegeleire, ISS

But according to the US Computer Emergency Response Team, its potential is still unknown.

The US National Infrastructure Protection Centre said it too was getting reports that Code Red had awoken.

A statement issued by the Centre said: "Early reports of activity spanning the entire globe indicate the worm has gone active and is presently spreading throughout the internet."

One estimate from Internet Security Systems said eventually the worm would infect as many machines as it managed during the last outbreak.

Experts say the worm has 19 days to spread, twice as long as during the last outbreak.

But the rate at which Code Red is expanding is slowing suggesting that it is struggling to find vulnerable computers.

Code Red dissected

Detailed analysis of the Code Red worm has revealed why it poses a threat to the internet and the confusion over its potential for disrupting the net.

Code Red threat

3.5m websites use Microsoft IIS software About 35% initially vulnerable Dropped to 15% due to Code Red warnings

A report by Internet Security Systems (ISS) said that concerns that infected servers will re-awaken and unleash a deluge of data were "largely inaccurate".

Code Red is a relatively sophisticated program that has three modes; scanning, flooding and sleep.

While "scanning" the worm searches for vulnerable servers and runs malicious computer code on those it finds to embed itself and spread. Fears that rampant scanning could slow the net prompted this week's rash of warnings.

During "flooding" mode the worm bombards the Whitehouse.gov website with bogus data packets.

Slumbering software

ISS believed that the final "sleep" phase could last indefinitely and that infected machines would not unleash havoc on the net.

The report notes that even if the worm is re-activated manually by a hacker, many of the vulnerable machines have been patched.

Netcraft, which carries out regular surveys of web server software, estimates that around 3.5 million sites are using Microsoft IIS software.

Of these about 35% were initially vulnerable, a figure that has now dropped to 15% following the publicity about the worm.

Virus variants

But the ISS report warns that the threat posed by the Code Red virus has not entirely disappeared.

The damage done when it struck on 19 July was caused by a variant of the virus rather than the original. Whoever tampered with the code of the worm improved its ability to propagate and made it more effective.

The original worm randomly generated network addresses and then sent data to each one to find out if they were vulnerable.

ISS estimates that the worm could scan at least 400,000 net addresses per day, and could take a long time to probe the entire net address space of 4 billion potential combinations.

But the report warns that newer variants of the worm which fix some of the remaining bugs in the malicious program could lead to disruption of the net in the future.

"If it is updated to make it more efficient we could be in for a lot more trouble " said Kenneth De Spiegeleire, manager of the ISS security assessment service, "because then it might not be so easy to patch."