Security Incidents mailing list archives

RE: CodeRedII - New non-variant codered worm - Analysis.

From: "Michael Katz" <mike () responsible com>
Date: Sun, 5 Aug 2001 09:56:35 -0700

On Sunday, August 05, 2001 5:24 AM, Marc Maiffret wrote:

This worm, like the original Code Red worm, will only exploit Windows 2000
web servers because it overwrites EIP with a jmp that is only correct under
Windows 2000. Under NT4.0 etc... that offset is different so, the process
will simply crash instead of allowing the worm to infect the system and
spread.


Correct me if I'm wrong, but shouldn't the first sentence read:

"This worm, unlike the original Code Red worm..."
            ^^

The original Code Red worm affected both Windows NT and Windows 2000 systems running IIS4 and IIS5.

Michael Katz
mike () responsible com
Responsible Solutions, Ltd.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeRedII - New non-variant codered worm - Analysis. Marc Maiffret (Aug 05)
- RE: CodeRedII - New non-variant codered worm - Analysis. Michael Katz (Aug 05)
  - RE: CodeRedII - New non-variant codered worm - Analysis. corecode (Aug 05)
- <Possible follow-ups>
- RE: CodeRedII - New non-variant codered worm - Analysis. Josh Ballard (Aug 05)