Re: Full analysis of the .ida "Code Red" worm.

From: corecode (simonsat_private)
Date: Thu Jul 19 2001 - 11:09:07 PDT

Next message: Keith.Morgan: "RE: .ida Intrusion Attempt"

Previous message: Martin Roesch: "Re: .ida Intrusion Attempt"
In reply to: aleph1at_private: "Full analysis of the .ida "Code Red" worm."
Next in thread: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
Reply: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 06:17 AM 7/19/2001, aleph1at_private wrote:
>----- Forwarded message from Marc Maiffret <marcat_private> -----
>8. Infect a new host (send .ida worm to a "random" IP address on port 80).
>
>At this point the worm will resend itself to any IP addresses which it can
>connect to port 80 on. It uses multiple send()'s so packet traffic may be
>broken up. On a successful completion of send, it closes the socket and goes
>to step 6... therefore repeating this loop infinitely.

i wonder if these connects originate from port 80, too
somewhere i read about a source port 80, but maybe i mistake this with the 
acknowledging "GET"

greets,
   corecode



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Keith.Morgan: "RE: .ida Intrusion Attempt"
Previous message: Martin Roesch: "Re: .ida Intrusion Attempt"
In reply to: aleph1at_private: "Full analysis of the .ida "Code Red" worm."
Next in thread: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
Reply: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:16:25 PDT