Re: code red - c:\notworm

[Jon Zobrist <jzobrist () avaltus com>]

We had one machine that was Code Reded, and there was no c:\notworm file
I believe it was CRv1 and not CRv2 that hit us, so maybe things changed.

-Jon

On Thursday 26 July 2001 10:38 am, you wrote:
> Hello,
>
> about c:\notworm ...
>
> I re-read the analysis from EEye ('Full analysis of the .ida "Code Red"
> worm.') and the message from ecchien () yahoo com.
> Also I had a look at the worm code (http://www.eeye.com/html/advisories/
> codered.zip)
>
> He're my theory onto c:\notworm and it significance to detect an "code
> red" infection.
>
> The EEye analysis does not mention c:\notworm being created, but a check
> for it's existence.
> The message from ecchien does mention its creation, but no check for its
> existence.
> The worm code contains references to CreateFile function. [I'm NOT into
> assembler, therefore I cannot discern anything else with a decent degree
> of certainty]
>
> So a)
> c:\notworm is a safe guard prohibiting "code red" to go astray during
> development
> or b)
> c:\notworm is created after infection of a maschine by "code red".
>
> If a) there's no significance to "code red" detection.
>
> If b) each maschine should have c:\notworm after infection.
> Thus reinfection should NOT occur as long as c:\notworm stays present.
> So each maschine having c:\notworm was at some point in time infected.
>
> Can anyone "in the know" or just with more assembler skills provide the
> answer to this question?
> It's not that important, but I'd like to find out. ;-)
>
> Robinton

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com