North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

This new CodeRedII is moving way faster than the previous

  • From: Chris Grout
  • Date: Sun Aug 05 03:53:23 2001

This thing is hitting hard!  I got bored and thought I'd through some 
stats/info together...

So far, since 9:16am on 7/19, I've seen 485 CRv1 attacks from 257 unique 
IPs on my cable modem.  
Since 6:49am today, I've been hit 472 times from 133 unique IPs with this 
new "CRv2" worm.  

-  All infected systems seem to try each scanned IP twice whereas the 
original only tried once, which probably will help its infection rate.  
Seems odd though as both tries use the same source port.  Could just be 
my snort rules...

-  It has the word "CodeRedII" hard coded in the packet, so its obviously 
a copycat or at least  a fairly recent revision.

-  *Appears* to be hardcoded to use the d:\inetpub\scripts and d:\progra~1
\common~1\system\MSADC directories.  Assuming you are not using this 
path, are you still vulnerable?

-  Either copies cmd.exe or creates a new file named root.exe in those 
directories.

-  I'm seeing almost only cable modem systems now.  Appears businesses 
may have finally gotten their acts together.


chris