andy at theasis.com wrote: > > > > Just a worm looking for copies of IIS and hoping to exploit a buffer > > > overflow. The requests start off with "GET /default.ida?NNNN..." and > > > are too large to be anything but a buffer overflow attempt. > > > > > > The only article I've been able to find about the worm is at > > > http://www.newsbytes.com/news/01/168003.html?&_ref=923747745 > > > > http://www.securityfocus.com/templates/headline.html?id=12004 > > http://www.msnbc.com/news/602036.asp?cp1=1 And of course last but not least a real in depth technical explination of what codered is, what it does, and how it spreads instead of newsflash fluff. ;P http://www.eeye.com/html/Research/Advisories/AL20010717.html Cute. Whoever wrote it knew their win32. The stuff in the GET line is just a boostrap, the real worm code is in the rest of the HTTP request, and thus not logged. I've written me a CGI to grab the complete virus next time I get hit. Heh. I've gotten 21 attempts so far.