Re: Full analysis of the .ida "Code Red" worm.

From: Laurence Hand (lhand@co.la.ca.us)
Date: 07/20/01


Message-ID: <3B5770C8.4856618D@co.la.ca.us>
Date: Thu, 19 Jul 2001 16:44:08 -0700
From: Laurence Hand <lhand@co.la.ca.us>
To: Marc Maiffret <marc@eeye.com>
Subject: Re: Full analysis of the .ida "Code Red" worm.

Did anyone else see that one of Microsoft's windowsupdate.microsoft.com
servers got bit by this worm? It went away when we refreshed the screen
and presumably rolled over to another server, but it is definitely on at
least one of their servers.

I know MS watches this list, so I hope they will be checking their
servers before this starts the DDOS tomorrow.

Marc Maiffret wrote:
>
> The following is a detailed analysis of the "Code Red" .ida worm that we
> reported on July 17th 2001.
>
<snip>



Relevant Pages

  • Nimda Worm Alert - What Ive done so far.
    ... Download/Install URL Scan for www servers. ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
    (Focus-Microsoft)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.inetserver.iis.security)
  • RE: New "concept" virus/worm?
    ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ...
    (Vuln-Dev)