Fwd: Re: Code Red variants

• From: Jeff Ogden
• Date: Sun Aug 05 10:21:18 2001

FYI

Date: Sat, 04 Aug 2001 20:16:55 -0700
To: Jeff Ogden <[email protected]>
From: John Moore <[email protected]>
Subject: Re: Code Red variants

At 07:48 PM 8/4/2001, you wrote:

Do we know if anyone has looked at the code for variants of the worn in detail recently? I've seen announcements about new versions with better random IP address generation. Does anyone know if other aspects of the worm are the same? Is it still set to spread itself until the 19th and then switch to attacking the IP address that was once www1.whitehouse.gov or are their variants with different dates and different IP address or attack scenarios?

Jeff,
I tried sending info to the list but may not have posting priveleges. Anyway, you can relay this.

I have a home system on Sprint Broadband, with a little sniffer on port 80 to see the full payload of what is coming in. Starting this morning a new variant of CodeRed started hitting, with a lot more frequency than I ever saw from the original.

This variant has the text "CodeRedII" in the payload. It also has the names of the windows registry entries you would want to hit to install a rebootable trojan. It does not have any domain name in it, and nothing about "Hacked by Chinese." It has XXXXXXXXXXXXXXXXXXX in the payload instead of NNNNNNNNNNNNNNn

The class A domain with by far the greatest number of hits belongs to Sprint.

I dumped some statistics on which class A prefixes had at least three hits. I also dumped the total number of CodeRedII hits by hour.

I don't have time to disassemble it - I am just watching out of curiousity, so I don't know what else it is doing.

here are my hourly stats so far. Time is GMT.

08040113 1
08040114 4
08040115 10
08040116 5
08040117 13
08040118 10
08040119 12
08040120 9
08040121 18
08040122 15
08040123 16
08050100 18
08050101 20
08050102 26

Here is the domain breakdown:
Class A #
168 3
112 3
249 3
? 21
221 80
43 3
190 4

Feel free to mention this to the list if you want, since my mail is not getting through.

Thanks

John




John Moore

[email protected] - http://www.tinyvital.com/
Tiny Vital Software, Inc

The only good weather is bad weather!
Storm Chasing - the Best extreme sport!

(SKYWARN,ARRL,AZ AMS,AZTC,NJ7E)

• Follow-Ups:
  • Re: Fwd: Re: Code Red variants Marius Strom

• Prev by Date: Re: Code Red II
• Next by Date: Re: Code Red variants
• Date Index
• Thread Index
• Author Index
• Historical