Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New CodeRed variant - CodeRed.d

From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 22 Aug 2001 12:18:37 -0600 (MDT)
On Wed, 22 Aug 2001, David Kennedy CISSP wrote:

From: Roger Thompson <rogert () mindspring com>

This evening, WormCatcher found a new, although minor variant of CodeRed.
Specifically, the string "CodeRedII" has been replaced by underscores, and
the byte at offset 07C5 is changed from a 0 to an FF.

Replacing "CodeRedII" with underscores appears to be an attempt to fool any
ids or av lame enough to look for that string as a detection. Changing the
byte at offset 07C5 appears to not change the code materially, but is
probably intended to throw off any checksummers which checksummed the body
of the virus, excluding the "CodeRedII" string.


I happen to have been given a copy of this variant of CodeRed II by Skip
Carter about 30 minutes ago.  It is identical to CodeRed II, except:

00000233: 43 5F
00000234: 6F 5F
00000235: 64 5F
00000236: 65 5F
00000237: 52 5F
00000238: 65 5F
00000239: 64 5F
0000023A: 49 5F
0000023B: 49 5F
000007C5: 00 FF

233-23B Is the changeof the atom from "CodeRedII" to "_________", which
means that this variant can infect CodeRedII infected boxes.  The atom was
a feature to prevent reinfection of the same box.

The change at 7C5 is part of the address mask for randomizing.  From the
original disassembly for CodeRed II:

seg000:000007C1 FF FF FF FF dd 0FFFFFFFFh ; 0 - addr masks
seg000:000007C5 00 FF FF FF dd 0FFFFFF00h ; 1
seg000:000007C9 00 FF FF FF dd 0FFFFFF00h ; 2
seg000:000007CD 00 FF FF FF dd 0FFFFFF00h ; 3
seg000:000007D1 00 FF FF FF dd 0FFFFFF00h ; 4
seg000:000007D5 00 00 FF FF dd 0FFFF0000h ; 5
seg000:000007D9 00 00 FF FF dd 0FFFF0000h ; 6
seg000:000007DD 00 00 FF FF dd 0FFFF0000h ; 7

This byte changes the mask from FFFFFF00h to FFFFFFFFh, so now we have:

2/8 - Random IP address
3/8 - Keep same first octet ("Class A")
3/8 - Keep same first and second octet ("Class B")

I don't believe any of the changes were for the purpose of IDS evasion,
but rather to help the thing spread further.  My assumption would be that
this variant was made with something like a sector editor, and not by
the original author with the original source code.

So now we have confirmed a new Code Red worm, the 4th public one.  Let the
naming confusion begin.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: