Two things come to mind - the code was ticking into servers running MS Personal Web Server (the baby of Internet Information Server), and the code was expected to target computers with chinese keyboards. Perhaps there were more proportionally of these in Korea?
The point in bringing this up is to show that the behavior Code Red II displayed indicates it was not used to compromise news traffic. See, in order to compromise specific entities/groups/organizations, you must first
target them. If the purpose of your worm is to compromise news and other info sources, and if your code contains a randomizer that makes the infection jump IP addresses, why would the bias end up being towards IP addresses in a foreign country? How much US media traffic flows through Korea before it hits the US?
The IP address bias the infection displayed demonstrated the intent of the Code Red author. He did
not limit the randomizer to addresses that US news sources could be found in, he wrote it to bias its search for infectable IIS instances within similar IP address ranges. IP addresses take the form aaa.bbb.ccc.ddd (for example, forums.randi.org's IP address is 67.228.115.45). The worm first searches for addresses with the same "aaa.bbb", then for the same "aaa." only. After that, it went completely random. If this forum ran on IIS, and was infected by CodeRedII, the infection would first scan the 67.228.0.0 to 67.228.255.255 range for targets to infect, then the 67.whatever range. Given that the targeting is
not towards news organizations, but instead towards saturating one range, then a wider range, then a random one, how can the argument be made that this virus was meant to compromise news traffic? It's not targeted towards news traffic, it's coded in a way to spread out wide and far.
So why Korea? In 2001 it was one of the nations that had increasing numbers of broadband users
and poorly patched systems. In other words, it was ripe for
random infections.
It's not hard at all to see that the idea behind Code Red II was to build numbers of infections, and propogate itself. Not to target specific systems. If the worm's purpose was to suborn media communications and not to build a widespread botnet, why in the world would it have ended up targeting a nation that has little to do with US news reporting and information propogation?
Being able to access explorer by contacting the host website is a far cry from being able to run cli. My understanding of the actual events surrounding the codered.d would be akin to sitting at your PC desktop remotely.
Oh, dear Lord... how do you reconcile the notion that the worm's activity is stealth with the claim that it acted like a remote desktop session? Do you have any idea how much bandwidth such a remote session uses?
On top of that, you also show that you do not understand how the worm actually functioned. The compromise was not done in order to allow for a remote graphic interface; that's ridiculous. The compromise of the explorer executable was in order to bypass file system restrictions and allow virtual web paths to the host drive to be made. File system permissions restrict that; otherwise, anyone with a simple web browser can go mucking about in the system directories of web servers. The compromised explorer executable bypasses that. And that allows someone to hit the IIS service with scripted commands like
http://(IP of the compromised computer)/c/winnt/system32/cmd.exe?/c+(arbitrary command to be executed) and execute stuff written to directories not normally accessible through the web. Or in plain language, it allows a remote attacker to send a simple web request to the infected computer with a command tacked onto the end that'll execute in a directory other than the well secured prison you constructed for the web service to play in. As I said before, the replacement of the explorer and cmd executables was for precisely the reason I mentioned before: To shoot code through. A remote attacker would
NOT conduct a remote GUI'd session, he'd send a single web command to the compromised instance of IIS and achieve his goals in
that manner.
Now, given the nature of how the compromise needed to be used, how in the world would such a compromise be able to manipulate traffic in realtime? Just how insanely large would the code be that you'd append to the http request?
"Korean virus watchers say the worm has shown up in an even more deadly form, but experts in the United States think it's merely a repeat of what came before."
http://news.cnet.com/2009-1001-270945.html
Hyperventilating quotes do nothing to support your argument.
------
The fact of the matter is, you do not understand what CodeRed II did or how it operated. You see "system level compromise", "remote access" and a few other magical terms (like your blatant misunderstanding of dark addresses and border routers earlier, as well as your complete misapprehensions regarding logging and detection) and try to create a scenario where this specific worm is used to somehow control news traffic. You ignore the fact that such a compromise only works by throwing it small, very tightly coded commands via web protocols, and that compromising the output of a computer would require far more interactivity than that. And you also must actively ignore the fact that compromising a host does not mean you can compromise records of the traffic necessary to manipulate other traffic. In the end, you make blatant and completely unjustified conceptual leaps in what the infection truly allows a remote attacker to accomplish and what you think they should be able to accomplish. And you betray your lack of knowledge by posting either irrelevant citations or trying to throw together a lingo salad.
The suggestion that Code Red II was used to suborn and "control" media traffic fails on many counts. Others here have already pointed out the obvious, non-technical rebuttal (The news was demonstrably not manipulated). I here am providing the technical one: The nature of the infection does not lend itself to use in the manner you suggest. It's a failed proposition, based on a fundamental misunderstanding of how the worm operates.
! I'm having a hankering for a big, fat banana split right now (yes, I consider that a sundae... deal with it). Whipped cream, banana, nuts, strawberry and chocolate sauce all mixing together with the slowly melting ice cream... arrrrrrrrrrrrrrrr (*drool*) 
.
