[AZ-Observing] Re: CodeRed II

  • From: "bobe at ngcic.org" <bobe@xxxxxxxxx>
  • To: <az-observing@xxxxxxxxxxxxx>
  • Date: Sun, 2 Sep 2001 17:38:38 -0700

As far as I know, the CodeRedII virus does not include the sircam virus (a
virus propagated via e-mail), or the W32/MsInit.worm.b virus.  The CodeRedII
propagates via a security hole in IIS (Internet Information Server), the web
server software used by both NT 4.0 as well as Cisco Model 675 DSL Modems.

It works by sending an HTTP request packet which has more characters in it
than what is allowed.  The security hole occurs when the IIS Server accepts
the request packet and then overflows the additional characters into
executable memory space, which then gets executed.  The web server was
patched such that security hole was nonexistent, (the IIS server throws away
the illegal length packet) but the Cisco router was not.

I suspect this thread should be handled off-line ASAP.  Please e-mail me at
bobe@xxxxxxxxx for questions or comments.

/Bob
---------------------------------------------------------------
"I do not feel obliged to believe that the same God who has
endowed us with sense, reason, and intellect has intended us
to forgo their use." - Galileo Galilei
---------------------------------------------------------------
Bob Erdmann - Core Team Member & Webmaster
The NGC/IC Project - http://www.ngcic.org
e-mail: bobe@xxxxxxxxx



----- Original Message -----
From: "Bill Peters" <afls@xxxxxxxxxxxxx>
To: <az-observing@xxxxxxxxxxxxx>
Sent: Sunday, September 02, 2001 5:00 PM
Subject: [AZ-Observing] Re: CodeRed II


>
>
>
> Bill Peters wrote:
>
> > My computer also was infected by a version of the Code Red virus named
> > SirCam.  My computer also had the W32/MsInit.worm.b virus.  The SirCam
destroyed
> > my bootdisk eliminating my desktop and making it unable to start up in
Safemode.
> >
> > Now, my system has been cleared.
> >
> > Bill Peters
> > 813-4242
> >
> > "bobe at ngcic.org" wrote:
> >
> > > Gary,
> > >
> > > Steve has been the victim of the CodeRedII Virus (it brought down the
Cisco
>


---
This message is from the AZ-Observing mailing list.  If you wish to be
removed from this list, send E-mail to: AZ-Observing-request@xxxxxxxxxxxxx,
with the subject: unsubscribe.

The list's archive is at:  //www.freelists.org/archives/az-observing

This is a discussion list.  Please send personal inquiries directly to
the message author.  In other words, do not use "reply" for personal
messages.  Thanks.



Other related posts: