[21754] in bugtraq
Re: "Code Red" worm - there MUST be at least two versions.
daemon@ATHENA.MIT.EDU (Ryan Russell)
Fri Jul 20 18:24:13 2001
Date: Fri, 20 Jul 2001 15:38:04 -0600 (MDT)
From: Ryan Russell <ryan@securityfocus.com>
To: Don Papp <donp@aeinnovations.com>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <Pine.LNX.4.10.10107201210510.26692-100000@diehumans.aeinnovations.com>
Message-ID: <Pine.GSO.4.30.0107201535430.11598-100000@mail>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 20 Jul 2001, Don Papp wrote:
> I wonder if I have seen this variant - a person I emailed has a
> server whose web pages served looks a lot like the Code Red worm's output
> (1 line of simple html) displaying
>
> FUCK CHINA GOVERNENT
> and p0isonb0x (or something like that)
>
> On a black background. The web files themselves are untouched.
>
> Actually I have the source of what it spits out:
>
> <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
> align="center"><font size=7 color=red>fuck CHINA
> Government</font><tr><td><p align="center"><font size=7 color=red>fuck
> PoizonBOx<tr><td><p align="center"><font size=4
> color=red>contact:sysadmcn@yahoo.com.cn</html>
>
I would tend to assume that isn't a variant of the worm. It's certainly
not CRv1 or CRv2. The HTML is about 40 bytes longer than that in Code
Red, so it would be a bit more than simply changing the HTML code in the
worm and relaunching; you'd have to adjust the content length reference,
and a number of other items. I would think it's non-trivial.
I would think this was a hand-done response to Code Red.
Ryan
