In article <3D5AF8EEF250D311AB480001FA7EBE8003CD63E1@xcem-casfo-07.wellsfargo.com> [23 Jul 01] <neitherjat_private> wrote: > Actually, from the dissertation from EEye, I believe you can detect > an infestation, even if dormant, by the existence of the directly > c:\notworm on your system. I'm not so sure. Reading the full analysis from EEye ('Full analysis of the .ida "Code Red" worm.' - <20010719001751.N2190at_private>) I cannot find reference to c:\notworm begin created. They only mention c:\notworm being checked for and call it a "built-in Lysine deficiancy". I'd guess that it's a "safe guard" by the worm author to prevent the worm from spreading during development and/or the be resistent from the live attacks. However ecchienat_private states in his message (<5.0.2.1.1.20010719131134.01ab6df0at_private>): | Once executed, the worm creates an empty file c:\notworm as a marker | that the initial main thread has occured. There is no reference of the working threads checking c:\notworm and going dormant if it exist as in the EEye analysis. So there is quite a discrepancy, I'd say. I haven't got an IIS system readily available to check this out at the moment. Being mainly an Apache (Linux) and Netware administrator my contact to IIS is minimal under normal circumstances. :-) Robinton -- Death is Nature's way of telling you to slow down. (Terry Pratchett, STRATA) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 09:05:27 PDT