New CodeRed variant - CodeRed.d : x-posted intentionally.

["Pete Sherwood" <petersherwood () home com>]

You may want to join AVIEN (Anti-Virus Information Exchange Network) 
in order to have this type of EWS (Early Warning System) available for your Anti-Virus defenses.

Excerpt:

Hi all,

A couple of weeks ago, I became curious to find out exactly what was 
knocking on port 80 on my pcs. I figured it was probably a CodeRed, but 
which one? To answer that question, I wrote a program which I call 
WormCatcher to listen on port 80 and checksum whatever comes calling. 
Recognized checksums are logged, and emailed to me every hour, and 
unrecognized checksums (i.e. possible variations) are emailed to me 
immediately. It's been live on just a few workstations for just a few days, 
but it has found several variants which looked like they'd been modified by 
some routers or repeaters along the way, which changed the code offsets, 
and therefore rendered the worm sterile.

This evening, WormCatcher found a new, although minor variant of CodeRed. 
Specifically, the string "CodeRedII" has been replaced by underscores, and 
the byte at offset 07C5 is changed from a 0 to an FF.

Replacing "CodeRedII" with underscores appears to be an attempt to fool any 
ids or av lame enough to look for that string as a detection. Changing the 
byte at offset 07C5 appears to not change the code materially, but is 
probably intended to throw off any checksummers which checksummed the body 
of the virus, excluding the "CodeRedII" string.

This is such a minor variation that I wouldn't have bothered mentioning it 
except that WormCatcher found it once from an IP in Korea, and secondly 
from a college here in the Eastern United States.

What is noteworthy then is that it is probably a deliberate, if ill-thought 
out attempt to populate a new variation into the wild.

Functionality has not been changed. The initial "GET " and many "X" strings 
are identical, so any IDSs looking for that will do fine. Patched servers 
are still not vulnerable. No one needs to do anything unless they are 
detecting by lame string or checksum.

Regards

Roger Thompson
Technical Director of Malicious Code Research
TruSecure Corporation

-=-=-=-=

Copied by:
Pete Sherwood 613-260-0612 (home/office) : 613-591-8900 ext. 525 (voice-mail)
PGP and Thawte digital keys available @ http://members.home.net/petersherwood/
Founding member of http://AVIEN.org (Anti-Virus Information Exchange Network)
Scan for malware: http://members.home.net/petersherwood/vulnerability_scanning.htm

Attachment: smime.p7s
Description: