code red - c:\notworm

From: Soeren Ziehe (robinton@GMX.de)
Date: 07/26/01 

Date: 26 Jul 2001 17:38:00 +0100
From: robinton@GMX.de (Soeren Ziehe)
To: incidents@securityfocus.com
Message-ID: <85cHqogjaCB@robinton.gmx.de>
Subject: code red - c:\notworm

Hello,

about c:\notworm ...

I re-read the analysis from EEye ('Full analysis of the .ida "Code Red"
worm.') and the message from ecchien@yahoo.com.
Also I had a look at the worm code (http://www.eeye.com/html/advisories/
codered.zip)

He're my theory onto c:\notworm and it significance to detect an "code
red" infection.

The EEye analysis does not mention c:\notworm being created, but a check
for it's existence.
The message from ecchien does mention its creation, but no check for its
existence.
The worm code contains references to CreateFile function. [I'm NOT into
assembler, therefore I cannot discern anything else with a decent degree
of certainty]

So a)
c:\notworm is a safe guard prohibiting "code red" to go astray during
development
or b)
c:\notworm is created after infection of a maschine by "code red".

If a) there's no significance to "code red" detection.

If b) each maschine should have c:\notworm after infection.
Thus reinfection should NOT occur as long as c:\notworm stays present.
So each maschine having c:\notworm was at some point in time infected.

Can anyone "in the know" or just with more assembler skills provide the
answer to this question?
It's not that important, but I'd like to find out. ;-)

Robinton 

-- 
I've asked for kindness and ultimate truth. Still waiting for the answer.
-- 
Ich sei, gewaehret mir die Bitte, in eurem Netzwerk der Dritte.
(frei nach Schiller)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com