Re: Conclusion for the dirrent Code Red URL's....

[Ryan Russell <ryan () securityfocus com>]

On Sun, 5 Aug 2001, Daniel Mostertman wrote:

> My conclusion, is that, dispite the fact that the X's and O's only turned up
> a couple of days ago, that the inventor thought that we were going to be
> patched for the N's, and not for the X's or O's or any other character.

So far, there are no O's.  I e-mailed Fred about that, and it turns out
that it was a font problem that made the space between X's look like O's.

> My suggestion is that he kept that in mind, and set a timer (I guess August
> 1st), to deploy these activities, and that it's not a new variant, but the
> same, existing, first one.
>
> Any good reason why I shouldn't think that?

The attack vector is a cut-and-paste from Code Red, with the padding
letter changed.  However from there, the rest of the worm is completely
different, and doesn't have any family resemblence to Code Red.

                                                Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com