Possible New Variant of Code Red

Printable View

March 11th, 2003, 10:22 PM
GandalfTheGray

Possible New Variant of Code Red

Note below clipped from notification received by e-mail

-----Original Message-----
From: Russ [mailto:[email protected]]
Sent: Tuesday, March 11, 2003 1:28 PM
To: [email protected]
Subject: Alert: New Code Red F worming its way through the 'net

FYI, at 10:15am EST this morning WormCatcher detected a new variant of Code
Red, called Code.Red.F, worming its way through hosts from Finland, the
U.S., and Australia. Since then it has continued, slowly, infecting more
hosts around the globe.

The infection method is the same as the original Code Red, so the
protections are the same;

- Remove IIS from the box completely
- Remove Script Mappings, particularly .IDA mappings
- Patch (MS01-033)

Too bad ISPs don't block access to attacking IIS boxes the way they did with
Slammer. This version appears to eliminate or change the drop-dead date that
previous versions of Code Red had.

If you're interested in WormCatcher, check out;

http://www.ntbugtraq.com/wormcatcher.asp

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor "My
thoughts are facts in my world, opinion to you. YMMV"

Some other information indicates the following possibilities

the cutoff date may have been removed
the string is slightly different
March 11th, 2003, 10:43 PM
Tedob1

the same people with the same unpatched servers. maybe the virus writers would do the world a favor and swipe the hard drives of these morons clean and leave our bandwidth alone. what has it been three years now? they have no interest in patching.
March 11th, 2003, 11:23 PM
Specter6

I have to agree. I find it very disheartening that the IT job market is declining, yet we continue to see time and time again that there are too many ignorant Admins out there who refuse to patch and take the necessary precautions. But then again, if their bosses were educated enough to know their Admins were ignorant and lazy, there'd be more jobs available...

Quote:

Originally posted here by Tedob1
the same people with the same unpatched servers. maybe the virus writers would do the world a favor and swipe the hard drives of these morons clean and leave our bandwidth alone. what has it been three years now? they have no interest in patching.