[Snort-users] Code Green???

Ian Cudlip ian at ...3488...
Tue Sep 18 11:55:01 EDT 2001


This seems normal...

Update - NAI have released version 2 of their extra.dat which seems to detect 
things now.... You can use this for scanning exes. AVP works too.

Theres no point to scan for readme.exe, that is the virus itself - cmd.exe, 
root.exe etc. are scanned to attempt to infect the machines..

Has anyone gone through the binary with an editor yet to get out all these 
registry changes it might to make? (quickly gone through myself)..

Ian.

On Tuesday 18 September 2001  7:47 pm, Tim Parker wrote:
> I'm seeing entries in our IIS logs for the requests (cmd.exe, root.exe,
> etc) but no emails or downloads of the readme.exe file from our
> servers....does that sound normal. As far as I can see I have us patched
> for the sec. rollup and the previous unicode......
>
> -----Original Message-----
> From: Ian Cudlip [mailto:ian at ...3488...]
> Sent: Tuesday, September 18, 2001 1:56 PM
> To: Steve Halligan; 'richard'; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Code Green???
>
>
> I've had it infect machines patched for code red, but not patched with the
> ms
> sec. roll-up.
>
> Ian.
>
> On Tuesday 18 September 2001  5:34 pm, Steve Halligan wrote:
> > > This infected our previously patched for code red, winnt and win2k
> > > systems.. One of them i even fixed yesterday and put Microsofts
> > > CodeRedCleanup tool on it. It is placing the root.exe file on the hard
> > > drive.
> >
> > Can anyone verify that this is infecting IIS server patched to current
> > levels?
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list