Re: Correction: Re: tcpdump traces of CodeRed (lab environment)

["L. Christopher Paul" <lcp () bofh sh>]

It appears than I was mistaken when I said earlier that I was wrong...

Poor testing methodology led me to the quoted conclusion and incorrect
results.

Most of you will have seen the CERT advisory by now indiciating that worm
wakes back up on the 1st.

Yup. Sure does. Seems the first time I ran it I had c:\notworm in
place. Basically ended up using a dirty petri dish and got bad results.

Sometime tonight I hope to have the wakeup trace up at
http://www.bofh.sh/CodeRed along with the others.

Sorry ... if anyone needs me I'll be the one standing in the corner,

--lcp

On Thu, 26 Jul 2001, L. Christopher Paul wrote:

> On the web site I indicated that the worm would wake up on the 1st and go
> back to work.
>
> After further testing and letting it roll-over and run for over 12 hours,
> it appears that I was incorrect and that once dormant, Code Red stays that
> way. (Which appears to be good news.)
>
> Kudos to Chris Rouland <CRouland () iss net> and Jon Larimer
> <JLarimer () iss net> for catching that. Thanks guys.
>
> Sorry for the confusion.
>
> --lcp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com