[Dshield] Is it a new Code Red strain?

miroslaws@home.com miroslaws at home.com
Thu Aug 30 20:16:37 GMT 2001


Hello Everybody,

I have noticed in my logs a new type of signatures:

209.241.218.199 - - [28/Aug/2001:08:41:53 -0700]
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a HTTP/1.1" 400 -


The difference between well known  Code Red (C-R) and this type of signature
is the lack of  "GET default.ida?" segment exploiting  ".ida" vulnerability.

I believe it could be a new strain of C-R worm. I wonder how it affect if it
hit an already C-R infected computers.

Best Regards

Miroslaw




More information about the list mailing list