RE: CodeRedII - New non-variant codered worm - Analysis.

From: Josh Ballard (jballardat_private)
Date: Sun Aug 05 2001 - 15:42:58 PDT

Next message: A.L.Lambert: "Re: CodeRedII worm.."

Previous message: terry white: "Re: CR vs. CoreBuilder"
Maybe in reply to: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, they truly should have said that it was unlike the 
previous codered in the fact that it could only 
compromise 2k systems.  CRv1 can compromise 
both, and CRv2 can only compromise 2k.  Both 
systems fall for the exact same exploit, but the 
difference is in the payload.  There is something in 
the payload that is incompatible with NT, and thus will 
just cause the IIS in NT to restart.  I don't have the 
data in front of me, but I remember seing this and it 
made sense as to what it was at the time...  That's 
just what I've seen and read anyway.  

Josh Ballard
oofle.com Linux Firewall Center
http://www.oofle.com/
jballardat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: A.L.Lambert: "Re: CodeRedII worm.."
Previous message: terry white: "Re: CR vs. CoreBuilder"
Maybe in reply to: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 16:39:18 PDT