Re: code red - some questions

From: Soeren Ziehe (robintonat_private)
Date: Tue Jul 24 2001 - 03:23:00 PDT

  • Next message: Patryk Chmielewski: "Re: GET x HTTP/1.0"

    In article <3D5AF8EEF250D311AB480001FA7EBE8003CD63E1@xcem-casfo-07.wellsfargo.com> [23 Jul 01]
        <neitherjat_private> wrote:
    
    > Actually, from the dissertation from EEye, I believe you can detect
    > an infestation, even if dormant, by the existence of the directly
    > c:\notworm on your system.
    
    I'm not so sure.
    Reading the full analysis from EEye ('Full analysis of the .ida "Code  
    Red" worm.' - <20010719001751.N2190at_private>)
    I cannot find reference to c:\notworm begin created. They only mention  
    c:\notworm being checked for and call it a "built-in Lysine deficiancy".
    I'd guess that it's a "safe guard" by the worm author to prevent the  
    worm from spreading during development and/or the be resistent from the  
    live attacks.
    
    However ecchienat_private states in his message  
    (<5.0.2.1.1.20010719131134.01ab6df0at_private>):
    
    | Once executed, the worm creates an empty file c:\notworm as a marker
    | that the initial main thread has occured.
    
    There is no reference of the working threads checking c:\notworm and  
    going dormant if it exist as in the EEye analysis.
    
    So there is quite a discrepancy, I'd say.
    I haven't got an IIS system readily available to check this out at the  
    moment.
    Being mainly an Apache (Linux) and Netware administrator my contact to  
    IIS is minimal under normal circumstances. :-)
    
    Robinton
    
    -- 
    Death is Nature's way of telling you to slow down.
     (Terry Pratchett, STRATA)
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 09:05:27 PDT