RE: Full analysis of the .ida "Code Red" worm.

From: Eric Chien (ecchienat_private)
Date: Fri Jul 20 2001 - 01:42:13 PDT

Next message: Phillip Reed: "Re: Re(2): 'Code Red' does not seem to be scanning for IIS"

Previous message: JNJ: "Re: Full analysis of the .ida "Code Red" worm."
In reply to: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
Next in thread: Pierre Vandevenne: "Re: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 06:55 PM 7/19/2001 -0700, you wrote:
>This whole worm process that we have been going through will basically start
>from scratch and run its course again when the 1st of next month comes
>around.

That is sort of true.  What happens is on the 20th, the threads that were 
trying to attack new hosts move to performing the DoS.  All of those 
threads on the 28th move into an infinite sleep.  Thus, if you are infected 
your infection goes dormant.

So, in the 'ideal' world, the worm goes dormant on the 1st.  But if a 
single new infection anywhere in the world happens again on the 1st, then 
everyone (unpatched) is up for infection again.

And of course that can happen if anyone has their date set wrong.

...Eric

Next message: Phillip Reed: "Re: Re(2): 'Code Red' does not seem to be scanning for IIS"
Previous message: JNJ: "Re: Full analysis of the .ida "Code Red" worm."
In reply to: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
Next in thread: Pierre Vandevenne: "Re: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 07:48:40 PDT