Hosting Provided By

RE: [Snort-sigs] New code-red Variant (code red F) sig available ?

From: Young, Mike <Mike.Young(at)atosorigin.com>
Date: Thu Mar 13 2003 - 08:58:47 EST

Being a newbie to this list, could someone tell me if "official" signatures are released here or on the Snort download site? I don't see a codered-f variant in the rules (from 3/10/03). Nor would I since it was released into the wild on 3/11 (or so I've read).

Cheers,
Mike.

-----Original Message-----

From: 	Xavier FIQUET [mailto:xavier.fiquet@wanadoo.com] 
Sent:	Thursday, March 13, 2003 3:14 AM
To:	snort-sigs@lists.sourceforge.net
Subject:	[Snort-sigs] New code-red Variant (code red F) sig available

Hello,

we have been recently targeted by some new variant of code red ida attempt.

here is what we have :

XXX.XXX.XXX.XXX - - [13/Mar/2003:10:06:21 +0100] "GET

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205 "This worm is very similar to the other variants of CodeRed, specifically the .C variant. Its only difference with the .C variant is the trigger date when it restarts the system. The .C variant restarts the system if the year is greater than 2002. This .F variant, on the other hand, executes the same routine if the year is greater than or equal to 34952. "

Best regards,

Do you need help?

Xavier FIQUET

This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu Mar 13 09:41:48 2003

This message: [ Message body ]
Next message: Schmehl, Paul L: "RE: [Snort-sigs] New code-red Variant (code red F) sig available ?"
Previous message: Xavier FIQUET: "[Snort-sigs] New code-red Variant (code red F) sig available ?"
Next in thread: Paul M. Sittler: "RE: [Snort-sigs] New code-red Variant (code red F) sig available ?"
Reply: Paul M. Sittler: "RE: [Snort-sigs] New code-red Variant (code red F) sig available ?"
Reply: Young, Mike: "RE: [Snort-sigs] New code-red Variant (code red F) sig available ?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:25 EDT