Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle.  http://sfsecurity.pr.erau.edu
When did it happen?
18 June 2001- eEye Digital security reports the vulnerability
18 June 2001- Microsoft releases a patch
19 June 2001 – CERT Advisory CA-2001-13 released
12 July 2001 – First incarnation of Code Red released, doesn’t spread as well as it could
19 July 2001 – Second incarnation of Code Red released, nearly the same code but it spreads much better, failed attempt at a denial-of-service attack on www.whitehouse.gov (100’s of thousands of machines infected)
19 July 2001 – CERT advisory CA-2001-19 released
31 July 2001 – CAIDA follow-up survey shows that nearly a third of the machines infected by Code Red were still not patched
4 August 2001 – 16 days later, Code Red II is released, exploiting the very same vulnerability, but installing a back door on infected machines. 100’s of thousands more machines are infected or re-infected.  Code Red II was probably released by a different party as it shared no code with the original Code Red.