Security Incidents mailing list archives

RE: CodeRedII - New non-variant codered worm - Analysis.

From: Josh Ballard <jballard () cloud cc ks us>
Date: 5 Aug 2001 22:42:58 -0000

Yes, they truly should have said that it was unlike the 
previous codered in the fact that it could only 
compromise 2k systems.  CRv1 can compromise 
both, and CRv2 can only compromise 2k.  Both 
systems fall for the exact same exploit, but the 
difference is in the payload.  There is something in 
the payload that is incompatible with NT, and thus will 
just cause the IIS in NT to restart.  I don't have the 
data in front of me, but I remember seing this and it 
made sense as to what it was at the time...  That's 
just what I've seen and read anyway.  

Josh Ballard
oofle.com Linux Firewall Center
http://www.oofle.com/
jballard () cloud cc ks us

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeRedII - New non-variant codered worm - Analysis. Marc Maiffret (Aug 05)
- RE: CodeRedII - New non-variant codered worm - Analysis. Michael Katz (Aug 05)
  - RE: CodeRedII - New non-variant codered worm - Analysis. corecode (Aug 05)
- <Possible follow-ups>
- RE: CodeRedII - New non-variant codered worm - Analysis. Josh Ballard (Aug 05)