New CodeRed variant - CodeRed.d : x-posted intentionally.

From: Pete Sherwood (petersherwoodat_private)
Date: Wed Aug 22 2001 - 11:16:20 PDT

Next message: Mads Rasmussen: "Re: New CodeRed variant - CodeRed.d : x-posted intentionally."

Previous message: Dimitry Andric: "Re: Windows XP RC2"
Next in thread: Mads Rasmussen: "Re: New CodeRed variant - CodeRed.d : x-posted intentionally."
Reply: Mads Rasmussen: "Re: New CodeRed variant - CodeRed.d : x-posted intentionally."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You may want to join AVIEN (Anti-Virus Information Exchange Network)
in order to have this type of EWS (Early Warning System) available for your Anti-Virus defenses.

Excerpt:

Hi all,

A couple of weeks ago, I became curious to find out exactly what was
knocking on port 80 on my pcs. I figured it was probably a CodeRed, but
which one? To answer that question, I wrote a program which I call
WormCatcher to listen on port 80 and checksum whatever comes calling.
Recognized checksums are logged, and emailed to me every hour, and
unrecognized checksums (i.e. possible variations) are emailed to me
immediately. It's been live on just a few workstations for just a few days,
but it has found several variants which looked like they'd been modified by
some routers or repeaters along the way, which changed the code offsets,
and therefore rendered the worm sterile.

This evening, WormCatcher found a new, although minor variant of CodeRed.
Specifically, the string "CodeRedII" has been replaced by underscores, and
the byte at offset 07C5 is changed from a 0 to an FF.

Replacing "CodeRedII" with underscores appears to be an attempt to fool any
ids or av lame enough to look for that string as a detection. Changing the
byte at offset 07C5 appears to not change the code materially, but is
probably intended to throw off any checksummers which checksummed the body
of the virus, excluding the "CodeRedII" string.

This is such a minor variation that I wouldn't have bothered mentioning it
except that WormCatcher found it once from an IP in Korea, and secondly
from a college here in the Eastern United States.

What is noteworthy then is that it is probably a deliberate, if ill-thought
out attempt to populate a new variation into the wild.

Functionality has not been changed. The initial "GET " and many "X" strings
are identical, so any IDSs looking for that will do fine. Patched servers
are still not vulnerable. No one needs to do anything unless they are
detecting by lame string or checksum.

Regards

Roger Thompson
Technical Director of Malicious Code Research
TruSecure Corporation

-=-=-=-=

Copied by:
Pete Sherwood 613-260-0612 (home/office) : 613-591-8900 ext. 525 (voice-mail)
PGP and Thawte digital keys available @ http://members.home.net/petersherwood/
Founding member of http://AVIEN.org (Anti-Virus Information Exchange Network)
Scan for malware: http://members.home.net/petersherwood/vulnerability_scanning.htm

application/x-pkcs7-signature attachment: smime.p7s

Next message: Mads Rasmussen: "Re: New CodeRed variant - CodeRed.d : x-posted intentionally."
Previous message: Dimitry Andric: "Re: Windows XP RC2"
Next in thread: Mads Rasmussen: "Re: New CodeRed variant - CodeRed.d : x-posted intentionally."
Reply: Mads Rasmussen: "Re: New CodeRed variant - CodeRed.d : x-posted intentionally."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 11:25:27 PDT