From: aleph1@securityfocus.com To: bugtraq-press@securityfocus.com Subject: ********************* ALERT: Code Red II ********************* Date: Sat, 4 Aug 2001 20:27:11 -0600 Today we have detected a new version of the Code Red worm in the loose. We are calling the worm Code Red II. Details of the worm are still sketchy. We do know that this variant of the worm appears to use the same vulnerability as the last one, the IIS Index Server/Indexing Services ISAPI buffer overflow. This worm appears to be different in that it leaves a backdoor that could be use by attackers to infiltrate the system at a later date. It does this by copying the cmd.exe program into the web server root were it can be accessed by an attacker. The worm was easily detected by our ARIS system. The system collects intrusion detection logs from systems across the Internet. We have a copy of the worm and are in the process of dissecting it. We'll provide more information as it becomes available. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum Cell: 650-208-4900