[21724] in bugtraq
RE: Full analysis of the .ida "Code Red" worm.
daemon@ATHENA.MIT.EDU (Eric Chien)
Fri Jul 20 11:26:27 2001
Message-Id: <5.0.2.1.1.20010720103114.02c09458@pop.mail.yahoo.com>
Date: Fri, 20 Jul 2001 10:42:13 +0200
To: "Marc Maiffret" <marc@eeye.com>, bugtraq@securityfocus.com
From: Eric Chien <ecchien@yahoo.com>
In-Reply-To: <MMEPIMEOCNNBECDFLCADOENMEMAA.marc@eeye.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 06:55 PM 7/19/2001 -0700, you wrote:
>This whole worm process that we have been going through will basically start
>from scratch and run its course again when the 1st of next month comes
>around.
That is sort of true. What happens is on the 20th, the threads that were
trying to attack new hosts move to performing the DoS. All of those
threads on the 28th move into an infinite sleep. Thus, if you are infected
your infection goes dormant.
So, in the 'ideal' world, the worm goes dormant on the 1st. But if a
single new infection anywhere in the world happens again on the 1st, then
everyone (unpatched) is up for infection again.
And of course that can happen if anyone has their date set wrong.
...Eric
