Correction: Re: tcpdump traces of CodeRed (lab environment)

From: L. Christopher Paul (lcp@bofh.sh)
Date: 07/26/01

• Previous message: Nick FitzGerald: "Re: Tracking SirCam"
• In reply to: lcp@bofh.sh: "tcpdump traces of CodeRed (lab environment)"
• Next in thread: L. Christopher Paul: "Re: Correction: Re: tcpdump traces of CodeRed (lab environment)"
• Reply: L. Christopher Paul: "Re: Correction: Re: tcpdump traces of CodeRed (lab environment)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 26 Jul 2001 07:56:27 -0400 (EDT)
From: "L. Christopher Paul" <lcp@bofh.sh>
To: incidents@securityfocus.com
Subject: Correction: Re: tcpdump traces of CodeRed (lab environment)
Message-ID: <Pine.LNX.4.21.0107260749470.11202-100000@griffin.silver-griffin.com>

On the web site I indicated that the worm would wake up on the 1st and go
back to work.

After further testing and letting it roll-over and run for over 12 hours,
it appears that I was incorrect and that once dormant, Code Red stays that
way. (Which appears to be good news.)

Kudos to Chris Rouland <CRouland@iss.net> and Jon Larimer
<JLarimer@iss.net> for catching that. Thanks guys.

Sorry for the confusion.

--lcp

On Wed, 25 Jul 2001 lcp@bofh.sh wrote:

>
> Per several requests, I have made these traces available at:
>
> http://www.bofh.sh/CodeRed/index.html
>
> These dumps show what the worm was trying to do when the box was infected
> in each of its three stages (infect, DDos & sleep) as well as what happens
> when the c:\notworm file existed on the infected server. (i.e. nothing.)
>
> --lcp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Nick FitzGerald: "Re: Tracking SirCam"
• In reply to: lcp@bofh.sh: "tcpdump traces of CodeRed (lab environment)"
• Next in thread: L. Christopher Paul: "Re: Correction: Re: tcpdump traces of CodeRed (lab environment)"
• Reply: L. Christopher Paul: "Re: Correction: Re: tcpdump traces of CodeRed (lab environment)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages tcpdump traces of CodeRed (lab environment) ... tcpdump traces of CodeRed ... These dumps show what the worm was trying to do when the box was infected ... in each of its three stages (infect, DDos & sleep) as well as what happens ... (Incidents) Re: Cross-platform virus? ... prevent payloads from being dropped and direct which executables to ... infect, without propagating the code to allow for this. ... The interesting part comes when you create a WORM. ... to allow for injecting code into a worm and letting it propagate the ... (Ubuntu) CERT Advisory CA-2001-23 ... We believe the worm will begin propagating again on ... susceptible to the vulnerability described in CA-2001-13 Buffer ... time required to infect all vulnerable IIS servers with this worm ... and egress filtering should be implemented at the network edge. ... (Cert) RE: New "concept" virus/worm? ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ... (Incidents) RE: New "concept" virus/worm? ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ... (Vuln-Dev)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-07