A mutant version of the infamous CodeRed II worm has emerged in the wild, security experts have warned.

The minor variant of the original CodeRed.F differs in only two bytes of code from the original CodeRed II.

According to antivirus firm Symantec the functional and payload elements of the mutant are substantially the same as its predecessor.

CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 web servers and uses a buffer overflow vulnerability to infect the computers.

The worm then injects itself directly into memory, rather than copying itself as a file on the system.

In addition, CodeRed.F creates a file called Trojan.VirtualRoot which gives the hacker full remote access to the web server.

In order to protect against the worm, Symantec recommends taking the following action:

Users running Microsoft IIS Server should apply the latest Microsoft patch here.

A cumulative patch for IIS, including the four patches released to date, is available here.

In addition, the worm's Trojan.VirtualRoot payload takes advantage of a vulnerability in Windows 2000.

A Microsoft security patch to address this problem and stop the Trojan from re-infecting can be downloaded here.