Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

[DerHexXer () gmx net]

@Markus Kern:
Thank you for sharing this great piece of code ...
... it actually is a great solution (a much better one than mine) for the
problem i was addressing.
Let me resume what your code does:

Host [A] is compromised by CodeRedI/II.
Host [B] has your CRclean.dll isapi-filter installed (either installed by
user or automated).

Host [A] sends out exploit plus CodeRed to random addresses and hits Host
[B].
Host [B] counters this infection attempt by sending it's own exploit
(CRclean.asm).
* Host [A] downloads CRclean.dll from Host [B]
* Host [A] executes CRclean.dll via rundll32 (func 'run') with system
privileges.
This is what happens then: (we are now in func 'run' from CRclean.dll.)
* determines OS version
* load needed dlls
* download and apply patch (determine lang, dl patch, execute it, terminate
hotfix.exe, cleanup tempdir)
* remove CRII (delete explorer.exe, remove root.exe, reenable
fileprotection, cleanup registry [mapping backdoors])
* add CRclean.dll isapi-filter (registry)
* restart iis (iisrestart.exe /restart /timeout:30)

After new filter is installed, Host [A] will join the fight against CodeRed.

Again ... this is a great solution, but
I think that there are several problems in your code:
a) rundll32 is called with system privileges. I had some problems while
accessing the registry with system privileges. It might be possible that CRclean
is not able to install itself as a new filter.
b) If on Host [A] one of the CRII explorer.exe backdoors is running, this
file can't be deleted (and can't be terminated via TerminateProcess
[GetLastError: 5 (access denied)]).

The main problem (isapi-filter bufferoverrun vulnerability) is solved, but
there still remain the backdoors CRII injected on many systems. You should
test your code under "in-the-wild" conditions.



@Stanley Bubrouski:
> Another worm...lovely...
do you know how hard it is, to write such a worm?

> Why not just flee the country?
Well ... i can't remember when i have commited a crime (did I?)
Anyways ... i am enjoying my holidays.

> Great.  A lack of responsibility is the cornerstone to microsoft's terms
of service, why should anyone expect any higher of it's users.

Should i go out yelling "hey i have written a worm that might take bandwidth
and could render systems useless. i will take all the resonability?" ???

> Tell that to the kids who unleash this and eat up ...

There is something you might have not considered: what happens if someone
uses this vulnerability plus the backdoors CRII injected to spread code that
performs dDoS attacks?

> How about making a tool that patches machines and isn't a worm?
Such a tool already exists ... let me remember ... microsoft has produced it
... oh yeah it's called patch -).

Sorry ... but you should visit focus-virus, if you want to flame some
authors.


Bye,
Der HexXer.

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net