[21712] in bugtraq
Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Fri Jul 20 02:10:38 2001
Message-Id: <200107200526.RAA29006@fep4-orange.clear.net.nz>
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
To: BUGTRAQ <BUGTRAQ@securityfocus.com>
Date: Fri, 20 Jul 2001 17:26:33 +1200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Reply-To: nick@virus-l.demon.co.uk
Cc: Vern Paxson <vern@ee.lbl.gov>
In-reply-to: <200107200035.f6K0ZmC15828@daffy.ee.lbl.gov>
Vern Paxson <vern@ee.lbl.gov> wrote:
> Date: Thu, 19 Jul 2001 17:35:48 PDT
>
> > It appears that the worm is at this time somewhat contained
>
> A colleague has pointed out that this may be because it's now
> already reached all of the easily-reachable, infectable servers.
Note your posting time and assuming the TZ is correct...
No -- it is "constrained" because it has reached the *UTC date* (not
time as initially reported) when it is programmed to switch from
"spread like crazy" mode to "DoS one of the IPs that was part of
www.whitehouse.gov" mode. In about ten days it will flick back to
the "spread like crazy" mode.
Regards,
Nick FitzGerald
