Re: "Code Red" worm - there MUST be at least two versions.

[Don Papp <donp () aeinnovations com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 20 Jul 2001, Chris Paget wrote:

> Secondly, can someone capture a copy of this second variant and
> dis-assemble it?
>
> I intend to add egress filters to one of my servers and allow it to
> become infected; if anyone wants to volunteer to help me pick it apart
> afterwards it would be appreciated.

        I wonder if I have seen this variant - a person I emailed has a
server whose web pages served looks a lot like the Code Red worm's output
(1 line of simple html) displaying

        FUCK CHINA GOVERNENT
        and p0isonb0x (or something like that)

        On a black background.  The web files themselves are untouched.

        Actually I have the source of what it spits out:

<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
align="center"><font size=7 color=red>fuck CHINA
Government</font><tr><td><p align="center"><font size=7 color=red>fuck
PoizonBOx<tr><td><p align="center"><font size=4
color=red>contact:sysadmcn () yahoo com cn</html>


        I've asked that he do a few things (including check for
outbound connections to port 80s of random IPs, patch, reboot, etc) but
haven't heard from him yet - his site is no longer up either.


Don P
http://aeinnovations.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7WHVT2KCg0hzfOnQRAkX9AKCatgkSAUQEugcNbpcw2UHaWNgMLgCfaC2R
Id2u7spws0eFvrx6Qmn23rg=
=ufnI
-----END PGP SIGNATURE-----