Vulnerability Development mailing list archives

Re: Update to "Code Red" Worm. Its a date bomb, not time.

From: Blue Boar <BlueBoar () thievco com>
Date: Thu, 19 Jul 2001 15:38:07 -0700

It's hardcoded to 198.137.240.91 (www1.whitehouse.gov):

seg000:000008EB C7 85 80 FE FF FF+                mov     dword ptr [ebp-180h], 5BF089C6h
; set   ip (www.whitehouse.gov)

(From Marc's disassembly).

                                                BB

matt sommer wrote:


On Thu, 19 Jul 2001, Marc Maiffret wrote:

We made an error in our last analysis and said the worm would start
attacking whitehouse.gov based on a certain time. In reality its based on a
date (the 20th UTC) which is tomorrow.


If the worm isnt hardwired to attack 198.137.240.91 and 198.137.240.92,
its too bad the folks at www.whitehouse.gov probably arent willing to
change their IN A records to 127.0.0.1 for a few days.

--
Matt Sommer [MMS26], CISSP

Current thread:

Re: A code red that could bring down the net?, (continued)
- - - Re: A code red that could bring down the net? David R. Conrad (Jul 25)
    - Re: A code red that could bring down the net? Lynn Crumbling (Jul 25)
    - Re: A code red that could bring down the net? Sven van ´t Veer (Jul 26)
    - Re: A code red that could bring down the net? security curmudgeon (Jul 26)
    - Re: A code red that could bring down the net? Ian Stoba (Jul 25)
    - Re: A code red that could bring down the net? Michael Tench (Jul 26)
    - Re: A code red that could bring down the net? Jose Nazario (Jul 26)
    - Re: A code red that could bring down the net? Meritt James (Jul 24)
- Re: Update to "Code Red" Worm. Its a date bomb, not time. matt sommer (Jul 19)
  - RE: Update to "Code Red" Worm. Its a date bomb, not time. Marc Maiffret (Jul 19)
  - Re: Update to "Code Red" Worm. Its a date bomb, not time. Blue Boar (Jul 19)
- RE: Update to "Code Red" Worm. Its a date bomb, not time. emerson . c . tan (Jul 19)
  - Re: Update to "Code Red" Worm. Its a date bomb, not time. Blue Boar (Jul 19)