[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[connect24h:03755] CodeRed II TypeX $B>\:Y(B

To: connect24h <connect24h@xxxxxxxxxxxxxxxxxxxx>
Subject: [connect24h:03755] CodeRed II TypeX $B>\:Y(B
From: hamamoto <r00t@xxxxxxxxxxx>
Date: Mon, 06 Aug 2001 11:25:55 +0900

$B$O$^$b$H$G$9!#(B
(B
(BCodeRed II$B>\:Y>pJs$G$9!#(B
(B
(BCodeRed II$B$K46@w$9$k$H!"(Bcmd.exe$B$r(Bc:\inetpub\scripts\root.exe$B$H(B
(Bc:\progra~1\common~1\system\MSADC\root.exe$B$K%3%T!C$;$^$9$N$G!"?4Ev$?$j(B
$B$N$"$k?M$O!"$3$l$iFs$D$N%U%!%$%k$r:o=|$7$^$7$g$&!#(B
(B
$B!|(BCodeRed II ARIS Incident Analysis
(Bhttp://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D201886
(B* Gets the system directory (usually c:\winnt\system32)
(B* Appends cmd.exe to the string
(B* Copies the resulting string (usually c:\winnt\system32\cmd.exe) 
(B  to c:\inetpub\scripts\root.exe and c:\progra~1\common~1\system\MSADC\root.exe
(B* Creates c:\explorer.exe
(B* Goes back and repeats the steps for drive d: instead of c:
(B
(BThe trojan explorer.exe doesn't get executed until the next time the host
(Bis rebooted and someone logs in.  When it is run, it executes the real
(Bexplorer, and then does the following in an infinite loop:
(B
(B* Sets SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable to 0FFFFFF9Dh (disables system file protection)
(B* Sets SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts to ,,217
(B* Sets SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc to ,,217
(B* Sets SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c to c:\,,217
(B* Sets SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d to d:\,,217
(B* Sleeps for 10 minutes
(B
$B!|(BAlert: New version of Code Red, XXXX(NTBugtraq)
(Bhttp://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0108&L=ntbugtraq&F=P&S=&P=279
(B
$B!|(BCodeRedII (by eEye)
(Bhttp://www.eeye.com/html/advisories/coderedII.zip 
(B
(B
(B+---------------------------------------------------------------------
(B| $B$O$^$b$H(B
(B| $B"#>o;~@\B3$N1c!J%$%s%?!<%M%C%H>o;~@\B3%K%e!<%9%5%$%H!K(B
(B| http://cn24h.hawkeye.ac/
(B| $B"#(B24 $B;~4V>o;~@\B3%a!<%j%s%0%j%9%H3+:ECf(B
(B| http://cn24h.hawkeye.ac/connect24h.html
(B| $B"#%;%+%s%@%j(BDNS$B8_=u2q(B
(B| http://cn24h.hawkeye.ac/dns.html 
(B+----------------------------------------------------------------------
(B
(B
(B------------------------------------------------------------------------
$B!!!!!!%$%s%U%)%7!<%/$K!!!X%U%!%s%I%i%s%-%s%0!YEP>l!*!*!!$C$F$J$K!)!!!!!!(B
$B!!!!!!!!!!(B http://fund.infoseek.co.jp/Rfund_top.cfm?svx=971122

Follow-Ups:
- [connect24h:03756] Re: FYI $B!!(B Code Red II
  - From: Isao Sugimoto

Prev by Date: [connect24h:03754] RE: $B:#EY$O!#(B$B#U#P#S(B
Next by Date: [connect24h:03756] Re: FYI $B!!(B Code Red II
Previous by thread: [connect24h:03753] Re: Code Red
Next by thread: [connect24h:03756] Re: FYI $B!!(B Code Red II
Index(es):
- Date
- Thread

[connect24h:03755] CodeRed II TypeX $B>\:Y(B

[connect24h:03755] CodeRed II TypeX $B>\:Y(B