RE: Where to get " code red worm source" ?

[Mel Chandler PMI <MChandler () pmi delta org>]

I can't believe you sent a virus to the group.  OMG

Mel L. Chandler, A+, Network+, MCNE, MCDBA, MCSE+I, CCNA
MChandler () PMI Delta org
Network Analyst
Information Services
PMI Delta Dental
(562) 467-6627



-----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov]
Sent: Wednesday, August 29, 2001 4:18 PM
To: Phil Wood; ls1100; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Where to get " code red worm source" ?


Second try.  I be a glutton for punishment.

This will be the contents of each attachment:

  % ls -l CR
  total 8
  -rw-r--r--    1 nobody   nogroup      5336 Aug 29 16:49 cr

There are 4 different files attached:

  -rw-r--r--    1 nobody   nogroup      2644 Aug 29 17:05 CR.bz2
  -rw-r--r--    1 nobody   nogroup      2190 Aug 29 17:06 CR.tgz
  -rw-r--r--    1 nobody   nogroup      7376 Aug 29 17:07 CR.uue
  -rw-r--r--    1 nobody   nogroup      2175 Aug 29 17:06 CR.zip

I guess zip wins in the storage department.

(in case you didn't see the fall out from my first attempt, 'cr' is the
 http payload that comprises codeRed II.  Sending as cr.bin was a bad
 or good idea depending on your frame of mind. Only time will tell with
 this post.  Also, contrary to some of the virus notices, as far as I
 know, this is not an executable piece of code.  It will only cause a
 problem if passed through an http server running some bogus IIS product.)

What a great day.

-- 
Phil Wood, cpw () lanl gov