Re: Update to "Code Red" Worm. Its a date bomb, not time.

From: Blue Boar (BlueBoarat_private)
Date: Thu Jul 19 2001 - 15:38:07 PDT

Next message: emerson.c.tanat_private: "RE: Update to "Code Red" Worm. Its a date bomb, not time."

Previous message: Ryan Permeh: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
In reply to: matt sommer: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
Next in thread: emerson.c.tanat_private: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It's hardcoded to 198.137.240.91 (www1.whitehouse.gov):

seg000:000008EB	C7 85 80 FE FF FF+		  mov	  dword	ptr [ebp-180h],	5BF089C6h
; set	ip (www.whitehouse.gov)

(From Marc's disassembly).

						BB

matt sommer wrote:
> 
> On Thu, 19 Jul 2001, Marc Maiffret wrote:
> 
> > We made an error in our last analysis and said the worm would start
> > attacking whitehouse.gov based on a certain time. In reality its based on a
> > date (the 20th UTC) which is tomorrow.
> >
> 
> If the worm isnt hardwired to attack 198.137.240.91 and 198.137.240.92,
> its too bad the folks at www.whitehouse.gov probably arent willing to
> change their IN A records to 127.0.0.1 for a few days.
> 
> --
> Matt Sommer [MMS26], CISSP

Next message: emerson.c.tanat_private: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
Previous message: Ryan Permeh: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
In reply to: matt sommer: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
Next in thread: emerson.c.tanat_private: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 15:47:00 PDT