Return to index: [Subject] [Thread] [Date] [Author]

Re: (OT) Code Red Activity Report

[Subject Prev][Subject Next][Thread Prev][Thread Next]
I thought that these two messages which were posted on another listservice 
might be of interest to members of the SEAINT list.  (If not, just delete 
this message.)

The second message gives a hint of what *anyone* can do to your machine if 
you are infected with Code Red II

Roger Turk 

----Forwarded Message(s)----

---------Message 1---------

  I don't know if the number of hits on my machine
is a direct correlation of activity across the 
web, but for whatever it's worth, the first week
of Aug:

Date    Total   CRI     CRII
1 Aug     15     15        0
2 Aug     23     23        0
3 Aug     30     30        0
4 Aug     36     36        0
5 Aug     85      9       76
6 Aug    117      6      111
7 Aug    126     18      108

  In an earlier message, I downplayed the impact 
Code Red has on the net in general.  It's not just 
the requests it sends out and the error messages 
generated as a result.  In fact, that's just a minor 
part of the bandwidth the worm wastes.  More 
significant is the huge number of arp packets 
generated as the worm searches for new machines to 

  Judging by all the clueless twits posting on
microsoft.public.inetserver.iis, I have to think
this worm is going to be around for a long time.

 - Steve

-----------Message 2----------

Code Red 2 also puts a back door on a victim's system. I and a friend
have written a PERL script that catch specific Code Red 2 scans,
and then connect to the victim's machine trough the back door and:
1)Generate a file on the victim's hard disk explaining the problem.
2)Opens the file with NotePad on the victim's computer.
3)Disable the backdoor.

Unfortunatly, I have no idea how to disable the virus itself, so
it will keep on spreading. This is what the text file is for - 
alarming the user that he/she is infected, and where to get the

 ----End Forwarded Message(s)---

*   This email was sent to you via Structural Engineers 
*   Association of Southern California (SEAOSC) server. To 
*   subscribe (no fee) or UnSubscribe, please go to:
*   Questions to seaint-ad(--nospam--at) Remember, any email you 
*   send to the list is public domain and may be re-posted 
*   without your permission. Make sure you visit our web 
*   site at: