Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle.  http://sfsecurity.pr.erau.edu
How did it happen?
A server running Microsoft’s IIS will send you a web page if you make a request to that server by telling it what you want (for example, you might tell www.momscookies.com that you want the hypertext file /oatmeal/raisin.html by typing http://www.momscookies.com/oatmeal/raisin.html).

The string you send is stored in one buffer, which does not overflow because it was properly bounds-checked.  Each character is an ASCII character which takes one byte to store.
If you requested some other http service, though, this buffer might be reformatted into UNICODE (used for international character sets, 1 character = 2 bytes) and stored in another buffer.
It was this other buffer that overflowed because there was no bounds checking to make sure the UNICODE buffer was twice as big as the ASCII buffer.

While it is not easy to exploit this kind of buffer overflow, it proved to not be impossible.  The buffer overflow allowed the attack code, which was included in the request string, to be executed.