Security Incidents mailing list archives

Re: CodeRedII worm..

From: "Emory Wood" <maui12ro () soback kornet net>
Date: Mon, 6 Aug 2001 18:09:22 +0900

Seeing a lot of activity here in South Korea net, looks like their more
worried about the "Hi" virus that hit around the 24th of July to worry about
patching there IIS systems.  Getting on average about 30 to 45 hits on CRv2
an hour (1705 kst), granted thats down from about 55 to 65 at about (0800
kst).  Anyone have a good English speaking contact at Korea Network
Information Center (KNIR) tried to talk to one of the folks there but my
Korean is not that good.

----- Original Message -----
From: <Valdis.Kletnieks () vt edu>
To: <incidents () securityfocus com>; <bugtraq () securityfocus com>
Sent: Sunday, August 05, 2001 5:38 PM
Subject: CodeRedII worm..

(Sorry for the cross-posting)

Given that initial analysis of the CodeRedII worm indicates that it leaves
a backdoor laying around, I hereby request that those people who made
lists of infected hosts available last time *NOT* do so again.

Although said lists *were* helpful in the analysis and study of the worm's
tactics, the benefits are certainly outweighted by the fact that the new
worm creates a known backdoor.  I'm certain that both the CodeRedII author
and other black hats would love for us to compile a list of afflicted

hosts

for them to use.

So please everybody - if you're sending IP's in to be added to a table,
make sure you're sending them to a white hat, not to a black hat who's
managed to social-engineer you.  If you're a white had compiling a list,
make sure the guy's hat is at least a light grey before you give them
a copy. ;)

Valdis Kletnieks
Operating Systems Analyst
Virginia Tech

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeRedII worm.. Valdis . Kletnieks (Aug 05)
- Re: CodeRedII worm.. Pluto (Aug 05)
  - Re: CodeRedII worm.. A.L.Lambert (Aug 05)
  - Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Emory Wood (Aug 06)