RE: CodeRedII - New non-variant codered worm - Analysis.

• Previous message: aleph1at_private: "How to obtain a complete list of CR2 compromised hosts"
• In reply to: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."
• Next in thread: corecode: "RE: CodeRedII - New non-variant codered worm - Analysis."
• Reply: corecode: "RE: CodeRedII - New non-variant codered worm - Analysis."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sunday, August 05, 2001 5:24 AM, Marc Maiffret wrote:

> This worm, like the original Code Red worm, will only exploit Windows 2000
> web servers because it overwrites EIP with a jmp that is only correct under
> Windows 2000. Under NT4.0 etc... that offset is different so, the process
> will simply crash instead of allowing the worm to infect the system and
> spread.

Correct me if I'm wrong, but shouldn't the first sentence read:

"This worm, unlike the original Code Red worm..."
            ^^

The original Code Red worm affected both Windows NT and Windows 2000 systems running IIS4 and IIS5.

Michael Katz
mikeat_private
Responsible Solutions, Ltd.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: corecode: "RE: CodeRedII - New non-variant codered worm - Analysis."
• Previous message: aleph1at_private: "How to obtain a complete list of CR2 compromised hosts"
• In reply to: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."
• Next in thread: corecode: "RE: CodeRedII - New non-variant codered worm - Analysis."
• Reply: corecode: "RE: CodeRedII - New non-variant codered worm - Analysis."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 11:58:53 PDT