Re: New CodeRed variant - CodeRed.d

From: Ryan Russell (ryanat_private)
Date: Wed Aug 22 2001 - 11:18:37 PDT

Next message: Reeves, Michael (GEAE, Compaq): "Revenue loss due to breakins"

Previous message: J. J. Horner: "strange .lnk file in email."
In reply to: David Kennedy CISSP: "New CodeRed variant - CodeRed.d"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 22 Aug 2001, David Kennedy CISSP wrote:
> >From: Roger Thompson <rogertat_private>
> >
> >This evening, WormCatcher found a new, although minor variant of CodeRed.
> >Specifically, the string "CodeRedII" has been replaced by underscores, and
> >the byte at offset 07C5 is changed from a 0 to an FF.
> >
> >Replacing "CodeRedII" with underscores appears to be an attempt to fool any
> >ids or av lame enough to look for that string as a detection. Changing the
> >byte at offset 07C5 appears to not change the code materially, but is
> >probably intended to throw off any checksummers which checksummed the body
> >of the virus, excluding the "CodeRedII" string.

I happen to have been given a copy of this variant of CodeRed II by Skip
Carter about 30 minutes ago.  It is identical to CodeRed II, except:

00000233: 43 5F
00000234: 6F 5F
00000235: 64 5F
00000236: 65 5F
00000237: 52 5F
00000238: 65 5F
00000239: 64 5F
0000023A: 49 5F
0000023B: 49 5F
000007C5: 00 FF

233-23B Is the changeof the atom from "CodeRedII" to "_________", which
means that this variant can infect CodeRedII infected boxes.  The atom was
a feature to prevent reinfection of the same box.

The change at 7C5 is part of the address mask for randomizing.  From the
original disassembly for CodeRed II:

seg000:000007C1 FF FF FF FF dd 0FFFFFFFFh ; 0 - addr masks
seg000:000007C5 00 FF FF FF dd 0FFFFFF00h ; 1
seg000:000007C9 00 FF FF FF dd 0FFFFFF00h ; 2
seg000:000007CD 00 FF FF FF dd 0FFFFFF00h ; 3
seg000:000007D1 00 FF FF FF dd 0FFFFFF00h ; 4
seg000:000007D5 00 00 FF FF dd 0FFFF0000h ; 5
seg000:000007D9 00 00 FF FF dd 0FFFF0000h ; 6
seg000:000007DD 00 00 FF FF dd 0FFFF0000h ; 7

This byte changes the mask from FFFFFF00h to FFFFFFFFh, so now we have:

2/8 - Random IP address
3/8 - Keep same first octet ("Class A")
3/8 - Keep same first and second octet ("Class B")

I don't believe any of the changes were for the purpose of IDS evasion,
but rather to help the thing spread further.  My assumption would be that
this variant was made with something like a sector editor, and not by
the original author with the original source code.

So now we have confirmed a new Code Red worm, the 4th public one.  Let the
naming confusion begin.

					Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Reeves, Michael (GEAE, Compaq): "Revenue loss due to breakins"
Previous message: J. J. Horner: "strange .lnk file in email."
In reply to: David Kennedy CISSP: "New CodeRed variant - CodeRed.d"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 11:48:17 PDT