Bugtraq mailing list archives

RE: Full analysis of the .ida "Code Red" worm.

From: Eric Chien <ecchien () yahoo com>
Date: Fri, 20 Jul 2001 10:42:13 +0200

At 06:55 PM 7/19/2001 -0700, you wrote:

This whole worm process that we have been going through will basically start
from scratch and run its course again when the 1st of next month comes
around.

That is sort of true. What happens is on the 20th, the threads that weretrying to attack new hosts move to performing the DoS. All of thosethreads on the 28th move into an infinite sleep. Thus, if you are infectedyour infection goes dormant.

So, in the 'ideal' world, the worm goes dormant on the 1st. But if asingle new infection anywhere in the world happens again on the 1st, theneveryone (unpatched) is up for infection again.


And of course that can happen if anyone has their date set wrong.

...Eric

Current thread:

Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 18)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
  - Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
    - RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
    - RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
  - Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
    - Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
    - Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Mitigating some of the effects of the Code Red worm LARD BENJAMIN LEE (Jul 19)
  - Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
  - Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)
  - Re: Mitigating some of the effects of the Code Red worm Ryan Russell (Jul 20)
    - RE: Mitigating some of the effects of the Code Red worm Linda Custer (Jul 20)