Re: What the *** is this

["Nick FitzGerald" <nick () virus-l demon co uk>]

Steve Halligan <agent33 () geeksquad com> wrote:

> Check this out.  Is this media nonsense, or is there really something to it?
>
> http://news.cnet.com/news/0-1003-200-6835996.html

Consensus among my contacts with good Korean contacts is that it is 
the former.  There is no "CodeRed III" though some people used that 
name, or "CodeRed [v]3", to prevent confusion with the use of various 
forms of "version 2" when the second CodeRed variant (the one with 
the fixed PRNG) was found.  Antivirus people still have lots of 
naming issues, but we have been dealing with these kinds of issues 
for years.

As it stands now, there are three CodeRed variants (or two if think 
the last one is not a CodeRed variant).

CodeRed.A (aliases CodeRed, CRv1)

CodeRed.B (aliases CodeRed [v]2, CRv2)

CodeRed.C (aliases CodeRedII, CodeRed [v]3 and now CodeRed III)

Perhaps the above makes it clear why a structured taxonomy is a good 
thing.  The reason AV has included the third of these worms in the 
CodeRed family is that, although there is little (or no) code 
continuity between it and the earlier pair, it would just be too 
confusing to name it differently *and* enough different from 
"CoedRedII" and the security folks would call it that anyway and as 
much as possible we do not name malware after its writer(s) nor with 
the name its writer(s) wanted/intended.  (Yes, there are many 
(historical) "exceptions" to those last two "rules", but some of us 
are working on correcting that for future namings...)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com