Security Incidents mailing list archives
Re: code red - some questions
From: robinton () GMX de (Soeren Ziehe)
Date: 24 Jul 2001 11:23:00 +0100
In article <3D5AF8EEF250D311AB480001FA7EBE8003CD63E1 () xcem-casfo-07 wellsfargo com> [23 Jul 01] <neitherj () WellsFargo COM> wrote:
Actually, from the dissertation from EEye, I believe you can detect an infestation, even if dormant, by the existence of the directly c:\notworm on your system.
I'm not so sure. Reading the full analysis from EEye ('Full analysis of the .ida "Code Red" worm.' - <20010719001751.N2190 () securityfocus com>) I cannot find reference to c:\notworm begin created. They only mention c:\notworm being checked for and call it a "built-in Lysine deficiancy". I'd guess that it's a "safe guard" by the worm author to prevent the worm from spreading during development and/or the be resistent from the live attacks. However ecchien () yahoo com states in his message (<5.0.2.1.1.20010719131134.01ab6df0 () pop mail yahoo com>): | Once executed, the worm creates an empty file c:\notworm as a marker | that the initial main thread has occured. There is no reference of the working threads checking c:\notworm and going dormant if it exist as in the EEye analysis. So there is quite a discrepancy, I'd say. I haven't got an IIS system readily available to check this out at the moment. Being mainly an Apache (Linux) and Netware administrator my contact to IIS is minimal under normal circumstances. :-) Robinton -- Death is Nature's way of telling you to slow down. (Terry Pratchett, STRATA) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- code red - some questions Soeren Ziehe (Jul 23)
- Re: code red - some questions Nick FitzGerald (Jul 23)
- Re: code red - some questions Bronek Kozicki (Jul 23)
- <Possible follow-ups>
- Re: code red - some questions Soeren Ziehe (Jul 24)