Bugtraq mailing list archives
Re: "Code Red" worm - there MUST be at least two versions.
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 20 Jul 2001 15:38:04 -0600 (MDT)
On Fri, 20 Jul 2001, Don Papp wrote:
I wonder if I have seen this variant - a person I emailed has a server whose web pages served looks a lot like the Code Red worm's output (1 line of simple html) displaying FUCK CHINA GOVERNENT and p0isonb0x (or something like that) On a black background. The web files themselves are untouched. Actually I have the source of what it spits out: <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p align="center"><font size=7 color=red>fuck CHINA Government</font><tr><td><p align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn () yahoo com cn</html>
I would tend to assume that isn't a variant of the worm. It's certainly not CRv1 or CRv2. The HTML is about 40 bytes longer than that in Code Red, so it would be a bit more than simply changing the HTML code in the worm and relaunching; you'd have to adjust the content length reference, and a number of other items. I would think it's non-trivial. I would think this was a hand-done response to Code Red. Ryan
Current thread:
- "Code Red" worm - there MUST be at least two versions. Chris Paget (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Ethan Butterfield (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Don Papp (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Jon-o Addleman (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Ryan Russell (Jul 20)
- <Possible follow-ups>
- Re: "Code Red" worm - there MUST be at least two versions. Adam (Jul 20)
- RE: "Code Red" worm - there MUST be at least two versions. Kuo, Jimmy (Jul 20)