It's hardcoded to 198.137.240.91 (www1.whitehouse.gov): seg000:000008EB C7 85 80 FE FF FF+ mov dword ptr [ebp-180h], 5BF089C6h ; set ip (www.whitehouse.gov) (From Marc's disassembly). BB matt sommer wrote: > > On Thu, 19 Jul 2001, Marc Maiffret wrote: > > > We made an error in our last analysis and said the worm would start > > attacking whitehouse.gov based on a certain time. In reality its based on a > > date (the 20th UTC) which is tomorrow. > > > > If the worm isnt hardwired to attack 198.137.240.91 and 198.137.240.92, > its too bad the folks at www.whitehouse.gov probably arent willing to > change their IN A records to 127.0.0.1 for a few days. > > -- > Matt Sommer [MMS26], CISSP
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 15:47:00 PDT