We had one machine that was Code Reded, and there was no c:\notworm file I believe it was CRv1 and not CRv2 that hit us, so maybe things changed. -Jon On Thursday 26 July 2001 10:38 am, you wrote: > Hello, > > about c:\notworm ... > > I re-read the analysis from EEye ('Full analysis of the .ida "Code Red" > worm.') and the message from ecchienat_private > Also I had a look at the worm code (http://www.eeye.com/html/advisories/ > codered.zip) > > He're my theory onto c:\notworm and it significance to detect an "code > red" infection. > > The EEye analysis does not mention c:\notworm being created, but a check > for it's existence. > The message from ecchien does mention its creation, but no check for its > existence. > The worm code contains references to CreateFile function. [I'm NOT into > assembler, therefore I cannot discern anything else with a decent degree > of certainty] > > So a) > c:\notworm is a safe guard prohibiting "code red" to go astray during > development > or b) > c:\notworm is created after infection of a maschine by "code red". > > If a) there's no significance to "code red" detection. > > If b) each maschine should have c:\notworm after infection. > Thus reinfection should NOT occur as long as c:\notworm stays present. > So each maschine having c:\notworm was at some point in time infected. > > Can anyone "in the know" or just with more assembler skills provide the > answer to this question? > It's not that important, but I'd like to find out. ;-) > > Robinton ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 12:06:34 PDT