Jo, On 18-Sep-01 Yuri Robbers wrote:
Is anyone writing the occurence of WEB IIS cmd.exe requests up for bugtraq already?
This beast is known since quite a while now, and Microsoft already produced some cleaning-tools and patches against it. It has been discussed on bugtraq already. A good overview of Code Red II can be found on incidents.org: http://incidents.org/react/code_redII.php This document states that the source for most Code Red/II attacks are PCs of home users who don�t know about the standard IIS installation on their Win2k boxes. Code Red II is particularly nasty because it copies the cmd.exe into a location where it is accessible from anywhere via the web. It also trojanizes the explorer.exe to "offer" C: and D: to the world (also via internet of course). If the worm finds Chinese as the standardly installed language, it runs for 48 hours and starts 600 (!) threads (24/300 for other languages) to attack and infect other victims. The worm is also heavily killing bandwith; imagine 600 instances of the worm trying to browse/scan their networking neighbourhood; the worm code tries to attack the same subnet where its host resides in, and the number of ARP requests are very high. This has lead to a breakdown of some small ISPs in the last couple of days.
Cheers, Yuri.