Re: code red - some questions

[robinton () GMX de (Soeren Ziehe)]

In article <3D5AF8EEF250D311AB480001FA7EBE8003CD63E1 () xcem-casfo-07 wellsfargo com> [23 Jul 01]
    <neitherj () WellsFargo COM> wrote:

> Actually, from the dissertation from EEye, I believe you can detect
> an infestation, even if dormant, by the existence of the directly
> c:\notworm on your system.

I'm not so sure.
Reading the full analysis from EEye ('Full analysis of the .ida "Code  
Red" worm.' - <20010719001751.N2190 () securityfocus com>)
I cannot find reference to c:\notworm begin created. They only mention  
c:\notworm being checked for and call it a "built-in Lysine deficiancy".
I'd guess that it's a "safe guard" by the worm author to prevent the  
worm from spreading during development and/or the be resistent from the  
live attacks.

However ecchien () yahoo com states in his message  
(<5.0.2.1.1.20010719131134.01ab6df0 () pop mail yahoo com>):

| Once executed, the worm creates an empty file c:\notworm as a marker
| that the initial main thread has occured.

There is no reference of the working threads checking c:\notworm and  
going dormant if it exist as in the EEye analysis.

So there is quite a discrepancy, I'd say.
I haven't got an IIS system readily available to check this out at the  
moment.
Being mainly an Apache (Linux) and Netware administrator my contact to  
IIS is minimal under normal circumstances. :-)

Robinton

-- 
Death is Nature's way of telling you to slow down.
 (Terry Pratchett, STRATA)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com