Re: Full analysis of the .ida "Code Red" worm.

From: corecode (simonsat_private)
Date: Thu Jul 19 2001 - 11:09:07 PDT

  • Next message: Keith.Morgan: "RE: .ida Intrusion Attempt"

    At 06:17 AM 7/19/2001, aleph1at_private wrote:
    >----- Forwarded message from Marc Maiffret <marcat_private> -----
    >8. Infect a new host (send .ida worm to a "random" IP address on port 80).
    >
    >At this point the worm will resend itself to any IP addresses which it can
    >connect to port 80 on. It uses multiple send()'s so packet traffic may be
    >broken up. On a successful completion of send, it closes the socket and goes
    >to step 6... therefore repeating this loop infinitely.
    
    i wonder if these connects originate from port 80, too
    somewhere i read about a source port 80, but maybe i mistake this with the 
    acknowledging "GET"
    
    greets,
       corecode
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:16:25 PDT