RE: CodeRedII - New non-variant codered worm - Analysis.

[corecode <corecode () corecode ath cx>]

At 04:56 PM 8/5/2001, Michael Katz wrote:
> On Sunday, August 05, 2001 5:24 AM, Marc Maiffret wrote:
>
> > This worm, like the original Code Red worm, will only exploit Windows 2000
> > web servers because it overwrites EIP with a jmp that is only correct under
> > Windows 2000. Under NT4.0 etc... that offset is different so, the process
> > will simply crash instead of allowing the worm to infect the system and
> > spread.
>
> Correct me if I'm wrong, but shouldn't the first sentence read:
>
> "This worm, unlike the original Code Red worm..."
>             ^^
>
> The original Code Red worm affected both Windows NT and Windows 2000 
> systems running IIS4 and IIS5.

as i don't have iis server to check that out my reply is somehow theroretical.

the main and only common thing of CRv1/CRv2 and ida_root (calling it CR2 
will lead to confusion!) is the type of exploit they use:
overflowing some stack based bug in ihe ida indexing server filter.

this it done the same way. both worms use the same attack code (well, one 
uses "N", the other "X", but this shouldn't make a difference i suppose, 
but i didn't check that).
so when they use the same code it should work on the same machines.

that leads to 3 possibilities:
- both worms can compromise NT4 and 2k
- both worms can only get on 2k
- something of the previously stated is completely wrong.

cheerz
  corecode


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com