Re: code red - c:\notworm

From: Jon Zobrist (jzobristat_private)
Date: Thu Jul 26 2001 - 09:24:40 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: MISC Large ICMP Packet"

    We had one machine that was Code Reded, and there was no c:\notworm file
    I believe it was CRv1 and not CRv2 that hit us, so maybe things changed.
    
    -Jon
    
    On Thursday 26 July 2001 10:38 am, you wrote:
    > Hello,
    >
    > about c:\notworm ...
    >
    > I re-read the analysis from EEye ('Full analysis of the .ida "Code Red"
    > worm.') and the message from ecchienat_private
    > Also I had a look at the worm code (http://www.eeye.com/html/advisories/
    > codered.zip)
    >
    > He're my theory onto c:\notworm and it significance to detect an "code
    > red" infection.
    >
    > The EEye analysis does not mention c:\notworm being created, but a check
    > for it's existence.
    > The message from ecchien does mention its creation, but no check for its
    > existence.
    > The worm code contains references to CreateFile function. [I'm NOT into
    > assembler, therefore I cannot discern anything else with a decent degree
    > of certainty]
    >
    > So a)
    > c:\notworm is a safe guard prohibiting "code red" to go astray during
    > development
    > or b)
    > c:\notworm is created after infection of a maschine by "code red".
    >
    > If a) there's no significance to "code red" detection.
    >
    > If b) each maschine should have c:\notworm after infection.
    > Thus reinfection should NOT occur as long as c:\notworm stays present.
    > So each maschine having c:\notworm was at some point in time infected.
    >
    > Can anyone "in the know" or just with more assembler skills provide the
    > answer to this question?
    > It's not that important, but I'd like to find out. ;-)
    >
    > Robinton
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 12:06:34 PDT