@Markus Kern: Thank you for sharing this great piece of code ... ... it actually is a great solution (a much better one than mine) for the problem i was addressing. Let me resume what your code does: Host [A] is compromised by CodeRedI/II. Host [B] has your CRclean.dll isapi-filter installed (either installed by user or automated). Host [A] sends out exploit plus CodeRed to random addresses and hits Host [B]. Host [B] counters this infection attempt by sending it's own exploit (CRclean.asm). * Host [A] downloads CRclean.dll from Host [B] * Host [A] executes CRclean.dll via rundll32 (func 'run') with system privileges. This is what happens then: (we are now in func 'run' from CRclean.dll.) * determines OS version * load needed dlls * download and apply patch (determine lang, dl patch, execute it, terminate hotfix.exe, cleanup tempdir) * remove CRII (delete explorer.exe, remove root.exe, reenable fileprotection, cleanup registry [mapping backdoors]) * add CRclean.dll isapi-filter (registry) * restart iis (iisrestart.exe /restart /timeout:30) After new filter is installed, Host [A] will join the fight against CodeRed. Again ... this is a great solution, but I think that there are several problems in your code: a) rundll32 is called with system privileges. I had some problems while accessing the registry with system privileges. It might be possible that CRclean is not able to install itself as a new filter. b) If on Host [A] one of the CRII explorer.exe backdoors is running, this file can't be deleted (and can't be terminated via TerminateProcess [GetLastError: 5 (access denied)]). The main problem (isapi-filter bufferoverrun vulnerability) is solved, but there still remain the backdoors CRII injected on many systems. You should test your code under "in-the-wild" conditions. @Stanley Bubrouski: >Another worm...lovely... do you know how hard it is, to write such a worm? >Why not just flee the country? Well ... i can't remember when i have commited a crime (did I?) Anyways ... i am enjoying my holidays. >Great. A lack of responsibility is the cornerstone to microsoft's terms of service, why should anyone expect any higher of it's users. Should i go out yelling "hey i have written a worm that might take bandwidth and could render systems useless. i will take all the resonability?" ??? >Tell that to the kids who unleash this and eat up ... There is something you might have not considered: what happens if someone uses this vulnerability plus the backdoors CRII injected to spread code that performs dDoS attacks? >How about making a tool that patches machines and isn't a worm? Such a tool already exists ... let me remember ... microsoft has produced it ... oh yeah it's called patch -). Sorry ... but you should visit focus-virus, if you want to flame some authors. Bye, Der HexXer. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 08:30:28 PDT