This paper focuses on the behavior of the Code Red (CRv2) and Code Red II worms, discussing how the worms propagated and capitalized on known yet unpatched software vulnerabilities. Creating a computer and network security policy is discussed in light of the lessons learned from these worms.