Security Incidents mailing list archives
Re: Full analysis of the .ida "Code Red" worm.
From: corecode <simons () gmx net>
Date: Thu, 19 Jul 2001 18:09:07 +0000
At 06:17 AM 7/19/2001, aleph1 () securityfocus com wrote:
----- Forwarded message from Marc Maiffret <marc () eeye com> ----- 8. Infect a new host (send .ida worm to a "random" IP address on port 80). At this point the worm will resend itself to any IP addresses which it can connect to port 80 on. It uses multiple send()'s so packet traffic may be broken up. On a successful completion of send, it closes the socket and goes to step 6... therefore repeating this loop infinitely.
i wonder if these connects originate from port 80, toosomewhere i read about a source port 80, but maybe i mistake this with the acknowledging "GET"
greets, corecode ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see:
http://aris.securityfocus.com
Current thread:
- Full analysis of the .ida "Code Red" worm. aleph1 (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. corecode (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. corecode (Jul 19)