Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CodeRed II

i have just recieved notification via BUGTRAQ about the CodeRed II Worm. Just to be clear in this post I will refer to the CodeRed version 1 and version 2 as 'CodeRed' and I will refer to CodeRed II as 'CodeRed II'. (It is thought right now that they are 2 different worms, not the same) 'CodeRed' makes the request of /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3

%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

HTTP/1.0

'CodeRed II' makes the request of /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3

%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

HTTP/1.0

I have the string signature update for the original CodeRed. I am new to reading string signatures, so my question is: will the original string signature cisco released for 'CodeRed' work with 'CodeRed II' ?? Thanks.

1 REPLY
New Member

Re: CodeRed II

The second string posted by klwiley@cisco.com in this forum will detect this new worm.

The string:

"[/]default[.]ida[?][a-zA-Z0-9]+%u"

will match and fire for the "codered II" worm. Check the post from klwiley for more detailed information on what settings to use.

152
Views
0
Helpful
1
Replies