Re: Hard data on network impact of the "Code Red" worm?

["Steven M. Bellovin" <smb () research att com>]

In message <200107310341.WAA01723 () bluejay creighton edu>, Larry Sheldon writes:
> > On Mon, 30 July 2001, k claffy wrote:
> > > so, 1 aug midnite GMT (tomorrow 17:00 in california),
> > > codered goes back into 'spread' mode.
> > > within a few hours, we'll have 100,000-300,000
> > > globally infected machines again.
>
> NTBUGTRAQ is carrying informatiion that says that is not right.
>
> They say that currently extant copies of the thing will sleep forever,
> or until the host is re-booted--at which time the thing ceases to exist.

There seems to be some disagreement about this point.  CERT, in fact,
notes that explicitly (http://www.cert.org/advisories/CA-2001-23.html).
They also claim that enough infected machines have their clocks set 
wrong that there may be a new outbreak tonight (EDT) -- that one 
strikes me as less plausible.
> The hazard tomorrow is the introduction of new copies of the thing.

That hazard isn't specific to August 1.

                --Steve Bellovin, http://www.research.att.com/~smb