Bugtraq mailing list archives
RE: Full analysis of the .ida "Code Red" worm.
From: Eric Chien <ecchien () yahoo com>
Date: Fri, 20 Jul 2001 10:42:13 +0200
At 06:55 PM 7/19/2001 -0700, you wrote:
This whole worm process that we have been going through will basically start from scratch and run its course again when the 1st of next month comes around.
That is sort of true. What happens is on the 20th, the threads that were trying to attack new hosts move to performing the DoS. All of those threads on the 28th move into an infinite sleep. Thus, if you are infected your infection goes dormant.
So, in the 'ideal' world, the worm goes dormant on the 1st. But if a single new infection anywhere in the world happens again on the 1st, then everyone (unpatched) is up for infection again.
And of course that can happen if anyone has their date set wrong. ...Eric
Current thread:
- Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 18)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
- Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Ryan Russell (Jul 20)
- RE: Mitigating some of the effects of the Code Red worm Linda Custer (Jul 20)