Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CRv2 - Questions

From: "The Death" <thedeadh () netvision net il>
Date: Tue, 24 Jul 2001 23:07:24 +0200
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I thought the worm skipped 127.x.x.x and 224.x.x.x addresses?
(From eEye's analysis)


It does, very simple: The PRNG output is checked before the worm
attempts to connect to the IP generated. It just discards IPs with
the 4th byte of 127 or 224.

The Death

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO13hse6B0r4ZZEp/EQKq2gCgv8w4Mf7fgl7VwPAABieiQJtId3UAoLSI
hdLCPoO7PfsdUu+pG9not0hG
=bc3y
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: