You may want to join AVIEN (Anti-Virus Information Exchange Network) in order to have this type of EWS (Early Warning System) available for your Anti-Virus defenses. Excerpt: Hi all, A couple of weeks ago, I became curious to find out exactly what was knocking on port 80 on my pcs. I figured it was probably a CodeRed, but which one? To answer that question, I wrote a program which I call WormCatcher to listen on port 80 and checksum whatever comes calling. Recognized checksums are logged, and emailed to me every hour, and unrecognized checksums (i.e. possible variations) are emailed to me immediately. It's been live on just a few workstations for just a few days, but it has found several variants which looked like they'd been modified by some routers or repeaters along the way, which changed the code offsets, and therefore rendered the worm sterile. This evening, WormCatcher found a new, although minor variant of CodeRed. Specifically, the string "CodeRedII" has been replaced by underscores, and the byte at offset 07C5 is changed from a 0 to an FF. Replacing "CodeRedII" with underscores appears to be an attempt to fool any ids or av lame enough to look for that string as a detection. Changing the byte at offset 07C5 appears to not change the code materially, but is probably intended to throw off any checksummers which checksummed the body of the virus, excluding the "CodeRedII" string. This is such a minor variation that I wouldn't have bothered mentioning it except that WormCatcher found it once from an IP in Korea, and secondly from a college here in the Eastern United States. What is noteworthy then is that it is probably a deliberate, if ill-thought out attempt to populate a new variation into the wild. Functionality has not been changed. The initial "GET " and many "X" strings are identical, so any IDSs looking for that will do fine. Patched servers are still not vulnerable. No one needs to do anything unless they are detecting by lame string or checksum. Regards Roger Thompson Technical Director of Malicious Code Research TruSecure Corporation -=-=-=-= Copied by: Pete Sherwood 613-260-0612 (home/office) : 613-591-8900 ext. 525 (voice-mail) PGP and Thawte digital keys available @ http://members.home.net/petersherwood/ Founding member of http://AVIEN.org (Anti-Virus Information Exchange Network) Scan for malware: http://members.home.net/petersherwood/vulnerability_scanning.htm
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 11:25:27 PDT