Hello, about c:\notworm ... I re-read the analysis from EEye ('Full analysis of the .ida "Code Red" worm.') and the message from ecchienat_private Also I had a look at the worm code (http://www.eeye.com/html/advisories/ codered.zip) He're my theory onto c:\notworm and it significance to detect an "code red" infection. The EEye analysis does not mention c:\notworm being created, but a check for it's existence. The message from ecchien does mention its creation, but no check for its existence. The worm code contains references to CreateFile function. [I'm NOT into assembler, therefore I cannot discern anything else with a decent degree of certainty] So a) c:\notworm is a safe guard prohibiting "code red" to go astray during development or b) c:\notworm is created after infection of a maschine by "code red". If a) there's no significance to "code red" detection. If b) each maschine should have c:\notworm after infection. Thus reinfection should NOT occur as long as c:\notworm stays present. So each maschine having c:\notworm was at some point in time infected. Can anyone "in the know" or just with more assembler skills provide the answer to this question? It's not that important, but I'd like to find out. ;-) Robinton -- I've asked for kindness and ultimate truth. Still waiting for the answer. -- Ich sei, gewaehret mir die Bitte, in eurem Netzwerk der Dritte. (frei nach Schiller) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 09:13:53 PDT