|
Security Incidents
mailing list archives
SIRCAM WORM?
From: "borakovej" <borakove () nhgri nih gov>
Date: Mon, 23 Jul 2001 13:29:27 -0700
Has anyone heard of the SirCam Worm????
----- Original Message -----
From: "Tulchinskiy, Sasha" <STulchinskiy () aspensys com>
To: <incidents () securityfocus com>
Sent: Friday, July 20, 2001 6:45 AM
Subject: RE: CodeRed
BlackICE Agent for Servers reports it to ICECap console as
Issue 2002608 "ISAPI extension overflow"
Sasha.
-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: Thursday, July 19, 2001 5:18 PM
To: incidents () securityfocus com
Subject: CodeRed
Here's a copy of CodeRed, as captured by my elite honeypot:
nc -l -p 80 > c:\gotcha
It's in a password protected .zip file, password is "worm" without the
quotes. The zip file is only about 2K, so it shouldn't cause undue stress
on anyone's mail server or client.
There is a rule available for Snort:
http://www.whitehats.com/info/IDS552
BlackICE defender spotted this one as "Suspicious URL":
39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,
And I'm not aware of other IDS' that catch this. (Though I'd like to be
corrected if that's not the case.)
Ryan
--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
