"Portnoy, Gary" <gportnoyat_private> wrote: > I am suddenly seeing hundreds of Unicode traversal requests coming in from > all over the world, many of them from previous CodeRed victims. I am > guessing someone changed CodeBlue to make it spread faster, because before I > saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20 > in the last hour. Just a a way to help fingerprint it, a few of the > attempted exploits use the multiple decode vulnerability.... It is, most likely, Nimda (the self-named "Concept Virus" but don't use that name). It "correctly" implements the mechanisms that CodeBlue incorporated, and thus spreads. I (and presumably all the other dial-ups on my ISP) am currently being heavily scanned from several sub-nets in the Philippines... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 19:25:08 PDT