Re: "Code Red" worm - there MUST be at least two versions.

[Ryan Russell <ryan () securityfocus com>]

On Fri, 20 Jul 2001, Don Papp wrote:

>       I wonder if I have seen this variant - a person I emailed has a
> server whose web pages served looks a lot like the Code Red worm's output
> (1 line of simple html) displaying
>
>       FUCK CHINA GOVERNENT
>       and p0isonb0x (or something like that)
>
>       On a black background.  The web files themselves are untouched.
>
>       Actually I have the source of what it spits out:
>
> <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
> align="center"><font size=7 color=red>fuck CHINA
> Government</font><tr><td><p align="center"><font size=7 color=red>fuck
> PoizonBOx<tr><td><p align="center"><font size=4
> color=red>contact:sysadmcn () yahoo com cn</html>

I would tend to assume that isn't a variant of the worm.  It's certainly
not CRv1 or CRv2.  The HTML is about 40 bytes longer than that in Code
Red, so it would be a bit more than simply changing the HTML code in the
worm and relaunching; you'd have to adjust the content length reference,
and a number of other items.  I would think it's non-trivial.

I would think this was a hand-done response to Code Red.

                                        Ryan