Yotam, At home, I have the output from a lab machine in each of the three phases when infected. Infect mode, DoS Mode and Sleep Mode; I think I might even have one with c:\notworm in place. These are not an "In the wild" dump and only show what the worm wanted to do, not necessarily what it did for real. (They show the outgoing SYN, but no responses.) If that would be of use, I can ship them off this evening. L. Christopher Paul Christopher.Paulat_private lcpat_private On Mon, 23 Jul 2001, Yotam Rubin wrote: > Hi, > > Does anyone here have extensive packet dumps of the behavior of > a host after it has been infected with the Code Red worm? A day's worth > of packets of an infected host would be great, but I welcome anything. > > Regards, Yotam Rubin > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 13:27:37 PDT