code red - c:\notworm

[robinton () GMX de (Soeren Ziehe)]

Hello,

about c:\notworm ...

I re-read the analysis from EEye ('Full analysis of the .ida "Code Red"  
worm.') and the message from ecchien () yahoo com.
Also I had a look at the worm code (http://www.eeye.com/html/advisories/ 
codered.zip)

He're my theory onto c:\notworm and it significance to detect an "code  
red" infection.

The EEye analysis does not mention c:\notworm being created, but a check  
for it's existence.
The message from ecchien does mention its creation, but no check for its  
existence.
The worm code contains references to CreateFile function. [I'm NOT into  
assembler, therefore I cannot discern anything else with a decent degree  
of certainty]

So a)
c:\notworm is a safe guard prohibiting "code red" to go astray during  
development
or b)
c:\notworm is created after infection of a maschine by "code red".

If a) there's no significance to "code red" detection.

If b) each maschine should have c:\notworm after infection.
Thus reinfection should NOT occur as long as c:\notworm stays present.
So each maschine having c:\notworm was at some point in time infected.

Can anyone "in the know" or just with more assembler skills provide the  
answer to this question?
It's not that important, but I'd like to find out. ;-)

Robinton

-- 
I've asked for kindness and ultimate truth. Still waiting for the answer.
-- 
Ich sei, gewaehret mir die Bitte, in eurem Netzwerk der Dritte.
(frei nach Schiller)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com