Slashdot Mirror
Code Red III
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
Code Red: A New Worm
Code Red: Microsoft Strikes Back
Code Red: Return of the Virii
Code Red: The Not-so Phantom Menace
And finally...
Code Red: Attack of the Clones
I think we all know that someone is going to make the horrid desicion of calling it "attack of the Code Red"...
Because our Blue Screen of Death turned purple.
photosMy Photostream
LFS. Have you built your system today?
i'm still waiting for the release of Ultra Turbo Code Red XI, Player's Edition...
Last post!
It keeps popping up these annoying ads every time I visit a web site, and leaving them under the browser window, so I have to close each one.
...
None of my antivirus software packages seem to be able to detect it, though
--- Will in Seattle - What are you doing to fight the War?
God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?
Tnks.
-Nuke the moon
Well, suppose we had this giant electronic speculum ;-)
True... and the Code Red Resource Kit, the Code Red SDK, 'Programming Code Red', 'Inside Code Red', and, through IDG, 'Code Red for Dummies'!
It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?
That Linux and Apache are not compatible. :-))
We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux
In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.
/script/root.exe?+%2fc+format+c:
What they are calling CodeRed III is really CodeRedII with a better IP selection routine.
Still has the XXX and installs the backdoor
Now incidents.org is recommending that the compromised machines, which have installed backdoors, format their c drive and reinstall
We can do it for them...
GET
They should have started with version IV instead of I ...
...
then they could do some prequels 10 years later
codered IV: A new hope
codered V: The code strikes back
codered VI: Return of the code
...
codered I: The iis menace.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
How about
Code Red: The Phantom Worm.
Code Red II: Attack of the Clone
Code Red III: Media's Imagination
Code Red IV: A New Worm
Code Red V: The Worm Strikes Back
Code Red VI: Return of the Worm
I wonder when Rocky ..uh ..Code Red IV will be released?
The Code Red worm spreads surreptitiously through a hole in certain Microsoft software such as Internet Information Server (IIS) Web software and Windows NT or 2000 operating systems
Ah, so Windows NT or 2000 are vulnerable too, uh? God, I love proper journalism.
Here we have something that does not come with source code, but people are still able to maintain the program, improve its performance, and then get those improvements quickly out into the field. Even Linux updates don't get distributed this efficiently.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I wrote an all-Java OS in 1998 but can't be sure if or how it works... it's still booting.
If you did that, you would run afoul McAffee's Patent on Web based virus removal and system administration.
I mean, who else would come out with THREE versions of an original idea, each one worse than the one before?!?
How about "Code Red III: Attack of the Clones?"
I have no idea how you can make a wider back door than CRII. With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised. Plus, due to the nature of the worm each compromised machine broadcasts its IP address to nearby machines. The only way to get a wider back door than CRII would be to put the back door on EVERY PORT.
OK, it will be ready in an hour, just got to build the array handler routine.
--- Will in Seattle - What are you doing to fight the War?
Sequels that are actually better than the original.
Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
V1: Basic worm code
V1.1: Enhanced code
V2: Back door "feature"
V3: Faster attack "feature"
V3.1: Faster attack and multiple backdoor "feature"
------Today: Slashdot reports Code Red V4
V4: Failed version, the worm can't infect other systems, author too dumb to put dots in IP address
V5: Total code rewrite, GNU licensed, autopatch feature (downloads a copy of bsd or linux and installs it on the NT box)
V5.1: Faster reinstall (err....patch), now the user can select wich OS/distribution.
------Next Week:Meanwhile, Microsoft patents the "Internet Worm" concept.
V6: Final release, the worm now infects the victim's server and start to post comments in Slashdot about Code Red...
and see that they go where they belong. I mean seriously, I've seen lot's of sites with a domain name which I thought was some other much more popular site which had a small link at the bottom saying something to the affect of: If you're looking for such and such they're actually located here.
It's just common courtesy provided it isn't a competitors site.
So what you do is set up a script to pull each individual Code Red transaction out of your logs and send an email to support@microsoft.com with a message similar to the following:
A user at IP address x.x.x.x was trying to contact you and got my IP address by mistake. I know how important the needs and desires of your customers are to Microsoft, so I was certain you would want to know about this as soon as possible.
The name Code Red came from Marc and Ryan at eEye. When the version of the original Code Red with the "improved" random number generator came out, they named the new variant CRv2, and re-named the first one CRv1. When we found the one that leaves the back doors, inside is the string "CodeRedII", which is used as an atom name. The author named that one himself.
Other people keep referring to CodeRed III, or CodeRed3. I *think* they are all talking about CodeRed II. We have yet to verify any fourth version.
For people who are asking in other threads here, CRv1 and CRv2 uses NNNNNNNN's in their URL. CodeRed II uses XXXXXXXXXX's.
Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?
In any case, if someone is able to translate
this link
That would be a huge help.
If you see a message on the boards with a subject line of "Hi, how are you," delete it immediately WITHOUT reading it. It is "Code Red III". This is the most dangerous virus yet. It will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer (up to 20 feet). It will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code,screw up the tracking on your VCR and use subspace fieldharmonic to scratch any CDs you try to play.
It will give your ex-boy/girlfriend your new phone number. It will program your phone autodial to call only your mother's number. It is insidious and subtle. It is dangerous and terrifying to behold. It will mix antifreeze into your fish tank. It will drink all your beer.It will hide your car keys when you are late for work and interfere with your car radio so that you hear 1940's hits and static while stuck in traffic.
It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of "Code Red III", it reaches out beyond the grave to sully those things we hold most dear.
It will rewrite your back-up files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretation of key sentences.
"Code Red III" will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will wantonly remove the forbidden tags from your mattresses and pillows,and refill your skim milk with whole. "Code Red III" is an evil virus conceived by evil people. It is also a rather interesting shade of mauve. These are just a few signs. Be very, very afraid. PLEASE FORWARD THIS MESSAGE TO EVERYONE YOU KNOW!!!
"Love is never saying you're too proud." -Tonic
Oh, so that's why Slashdot sucks so much. Thanks for the info.
- Have a picture
I tried redirecting it and it didn't work.
"PMS is the time of the month when women act like men do all the time"
Robert Heinlein
We can do it for them...
GET
Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.
Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.
Fire and Meat. Yummy.
So, Three Code Reds and a SirCam later, the question just begs to be asked:
Who's calling Whose code "Potentially Viral"?
So there I was, juggling apples and small animals, when I accidentally bit into the wrong one...