Security Incidents mailing list archives

Re: CodeBlue finally hitting, or what?

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Wed, 19 Sep 2001 10:33:45 +1200

"Portnoy, Gary" <gportnoy () belenosinc com> wrote:

I am suddenly seeing hundreds of Unicode traversal requests coming in from
all over the world, many of them from previous CodeRed victims.  I am
guessing someone changed CodeBlue to make it spread faster, because before I
saw maybe 1 or 2 CodeBlue attempts a day, and so far i've seen at least 20
in the last hour.  Just a a way to help fingerprint it, a few of the
attempted exploits use the multiple decode vulnerability....


It is, most likely, Nimda (the self-named "Concept Virus" but don't 
use that name).  It "correctly" implements the mechanisms that 
CodeBlue incorporated, and thus spreads.  I (and presumably all the 
other dial-ups on my ISP) am currently being heavily scanned from 
several sub-nets in the Philippines...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeBlue finally hitting, or what? Portnoy, Gary (Sep 18)
- Re: CodeBlue finally hitting, or what? Eric Jacobsen (Sep 18)
- Re: CodeBlue finally hitting, or what? Jason Giglio (Sep 18)
- Re: CodeBlue finally hitting, or what? Tracey Losco (Sep 18)
- Re: CodeBlue finally hitting, or what? Nick FitzGerald (Sep 18)
- <Possible follow-ups>
- RE: CodeBlue finally hitting, or what? Becky Pinkard (Sep 18)