RE: Full analysis of the .ida "Code Red" worm.
From: Eric Chien (ecchien@yahoo.com)Date: 07/20/01
- Previous message: JNJ: "Re: Full analysis of the .ida "Code Red" worm."
- In reply to: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
- Next in thread: Pierre Vandevenne: "Re: Full analysis of the .ida "Code Red" worm."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <5.0.2.1.1.20010720103114.02c09458@pop.mail.yahoo.com> Date: Fri, 20 Jul 2001 10:42:13 +0200 To: "Marc Maiffret" <marc@eeye.com>, bugtraq@securityfocus.com From: Eric Chien <ecchien@yahoo.com> Subject: RE: Full analysis of the .ida "Code Red" worm.
At 06:55 PM 7/19/2001 -0700, you wrote:
>This whole worm process that we have been going through will basically start
>from scratch and run its course again when the 1st of next month comes
>around.
That is sort of true. What happens is on the 20th, the threads that were
trying to attack new hosts move to performing the DoS. All of those
threads on the 28th move into an infinite sleep. Thus, if you are infected
your infection goes dormant.
So, in the 'ideal' world, the worm goes dormant on the 1st. But if a
single new infection anywhere in the world happens again on the 1st, then
everyone (unpatched) is up for infection again.
And of course that can happen if anyone has their date set wrong.
...Eric
- Previous message: JNJ: "Re: Full analysis of the .ida "Code Red" worm."
- In reply to: Marc Maiffret: "RE: Full analysis of the .ida "Code Red" worm."
- Next in thread: Pierre Vandevenne: "Re: Full analysis of the .ida "Code Red" worm."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
