Re: "Code Red" worm questions

[Chris Keladis <Chris.Keladis () cmc cwo net au>]

w1re p4ir wrote:

> I've read practically everything about this worm that has been released. But there are a few questions that I have. 
> First off, I know the first exploit was written by hsj and it used the offsets for the japanesse version of IIS. Now 
> in this new worm, has the code been modified with US (or other) offsets to attack english versions? I have already 
> had a call regarding a possible "break in attempt." with very little other information. I would like to be able to 
> them either they are vulnerable to this worm or not. Thank you,
> w1re

The original eEye post about the idq.dll bug contains enough information on how to cause the buffer overflow.

It could be quickly put into a perl or similar scripted language for quick tests. (You wont get a C:\> prompt,
but if you crash IIS, it's a good indication you'll have no trouble using the appropriate exploit)

Personally i think just having idq.dll enabled when it's not needed is a vulnerability, but thats just me..




Regards,

Chris.



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com