Security Incidents mailing list archives
Re: code red - c:\notworm
From: Jon Zobrist <jzobrist () avaltus com>
Date: Thu, 26 Jul 2001 10:24:40 -0600
We had one machine that was Code Reded, and there was no c:\notworm file I believe it was CRv1 and not CRv2 that hit us, so maybe things changed. -Jon On Thursday 26 July 2001 10:38 am, you wrote:
Hello, about c:\notworm ... I re-read the analysis from EEye ('Full analysis of the .ida "Code Red" worm.') and the message from ecchien () yahoo com. Also I had a look at the worm code (http://www.eeye.com/html/advisories/ codered.zip) He're my theory onto c:\notworm and it significance to detect an "code red" infection. The EEye analysis does not mention c:\notworm being created, but a check for it's existence. The message from ecchien does mention its creation, but no check for its existence. The worm code contains references to CreateFile function. [I'm NOT into assembler, therefore I cannot discern anything else with a decent degree of certainty] So a) c:\notworm is a safe guard prohibiting "code red" to go astray during development or b) c:\notworm is created after infection of a maschine by "code red". If a) there's no significance to "code red" detection. If b) each maschine should have c:\notworm after infection. Thus reinfection should NOT occur as long as c:\notworm stays present. So each maschine having c:\notworm was at some point in time infected. Can anyone "in the know" or just with more assembler skills provide the answer to this question? It's not that important, but I'd like to find out. ;-) Robinton
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- code red - c:\notworm Soeren Ziehe (Jul 26)
- Re: code red - c:\notworm Jon Zobrist (Jul 26)
- Re: code red - c:\notworm Soeren Ziehe (Jul 29)