Following was posted to BugTraq Saturday, 4 Aug. The worm's apparently
mutating, new version installs a backdoor. Serverlogs can be sent to
firstname.lastname@example.org, see below for
Date: Sat, 4 Aug 2001 23:00:39 -0600 (MDT)
From: Alfred Huger
Subject: Code Red Revision
I had planned on sending out a thanks this evening to all of the
contributors (in terms of logs) who came through on the Code Red (revision
2) surge last week. Regrettably it looks like I will have to wait due to a
new variant or rather new worm on the loose.
As some of you know a new worm has been released into the wild which uses
the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI
Buffer Overflow Attack (http://www.securityfocus.com/bid/2880). However,
this is most likely not a revision of the initial Code Red worm but a new
worm which simply uses uses the same entry point. It carries an actual
malicious payload and has a number of other very interesting features. The
SecurityFocus ARIS Team and eEye Digital Security will be releasing an
in-depth writeup in the next hour or two with technical details as well as
information about it's spread to date.
As opposed to filling the list with logs of attacks I will reserve the
list for discussion of the worm's payload and features - after we post an
analysis. So very shortly. Until then, it would be fantastic if you can
send your log files to:
Because we have caught this very early we plan on starting the
notification process tonight. We sent close to 400,000 notifications
against Code Red 1 & 2 previously - hopefully because we are on top of
this our notifications now will help address the situation much, much
If you would like to send offending IP data - Please send it in the
IP ADDRESS DATE/TIME
Or something similar to this. Please ensure the information is contained
to IP address and date per line as we do our notification automatically
and our system needs to be to understand the los you send us.
We will be posting more shortly.