Security Incidents mailing list archives
RE: CodeRedII - New non-variant codered worm - Analysis.
From: "Michael Katz" <mike () responsible com>
Date: Sun, 5 Aug 2001 09:56:35 -0700
On Sunday, August 05, 2001 5:24 AM, Marc Maiffret wrote:
This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread.
Correct me if I'm wrong, but shouldn't the first sentence read: "This worm, unlike the original Code Red worm..." ^^ The original Code Red worm affected both Windows NT and Windows 2000 systems running IIS4 and IIS5. Michael Katz mike () responsible com Responsible Solutions, Ltd. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CodeRedII - New non-variant codered worm - Analysis. Marc Maiffret (Aug 05)
- RE: CodeRedII - New non-variant codered worm - Analysis. Michael Katz (Aug 05)
- RE: CodeRedII - New non-variant codered worm - Analysis. corecode (Aug 05)
- <Possible follow-ups>
- RE: CodeRedII - New non-variant codered worm - Analysis. Josh Ballard (Aug 05)
- RE: CodeRedII - New non-variant codered worm - Analysis. Michael Katz (Aug 05)