Eine Viruswarnung über "Code Red Worm" wurde mir zugeschickt, für einen Virus, der von Virenscannern nicht erkannt wird, weil er komplett speicherresident sein soll. In der Mail stand, dass mein Notebook möglicherweis betroffen wäre.

Ich habe den Rechner sofort mit dem neuesten Virenscanner durchsucht aber - wie in der Mail auch angekündigt - nicht gefunden. (Ich haenge die Viruswarnung hier an; über den angegebenen Link findet man eine genaus Analyse in einem PDF_Dokument.) Ein Reboot soll den Virus wieder entfernen. Es wird geraten, verfügbare Patches zu installieren.

Franz Fiala

-------

Hello,

This mail is from the ARIS Analyzer Service (Attack Registry and Intelligence
Service) from SecurityFocus.

As you are probably aware from the media, the Code Red worm started spreading again on August 1, UTC. It has come to our attention that your system(s), listed below have been identified as being compromised by the Code Red Worm.
The Code Red Worm is rapidly spreading across the Internet, compromising

vulnerable Windows NT IIS servers.

You may have received an e-mail from us yesterday. Even if this note
covers some of the same IP addresses, these are different incidents, reported
by a different set of users. Many ISPs and providers use dynamic addresses,
so it is entirely possible that the same IP address may be a different
user an hour later. We apologize for any duplication.

The addresses identified as belonging to you are as follows:

Wed Aug 1 15:44:13 2001 GMT 194.152.163.28

You can find up to date information on the Code Red Worm at:

http://aris.securityfocus.com/alerts/codered

This note is being sent as a public service. This is intended to
inform you of a potentially compromised machine on your network, or at least what appears to be your network, based on the reverse DNS information for the attacking IP. The last time Code Red was spreading, many adminitrators were not aware that they had been compromised. If you were already aware of this fact, then we apologize for sending duplicate information.

FAQ about this mailing:

Q: Is there any possibility that this is a false alarm?

A: Yes, some of the reports are scans for port 80 on non-existant hosts. For those, we cannot say for certain that it was Code Red, however, much of the data was from IDS systems or web logs where a positive ID of Code Red was made. We feel that this data has a high degree of accuracy, and hope that you will check the host in question for possible infection.

Q: How do you know I've been compromised? Were you probing my network?

A: We did no probing. The information we based our mailing on is from other Internet users who received Code Red attempts from your address. SecurityFocus did no probing, the information was collected passively.

Q: I need to know what IP address was being attacked.

A: In many cases, we don't have that information. The log entries earlier in this note are what we were given.

Q: How do I tell if I've been infected? Won't my virus scanner spot it?

A: Unfortunately, since Code Red is completely memory-resident, it never leaves any files or other typical forensic traces, other than the network activity. This will prevent many virus scanners from being able to detect it. Fortunatly, it is easy to clean up after. Simply apply the patches for the original hole, then reboot.

Q: Why did I receive so many copies of this note?

A: We mailed to 4 e-mail addresses at each domain, see
the To line. We apologize for having to use so many,
but there is really not a good way to determine which
addresses are valid or appropriate for a given site. In addition, some people may be the contact for multiple domains, and we did 4 addresses per domain.

Q: Isn't this SPAM?

A: We certainly don't consider it to be so. It does mention
a (free) service we offer, however that is intended to
explain who we are, and why we are mailing this, not to
drum up more users.

Q: How do I get off of this mailing list?

A: This is not a mailing list, not in the traditional sense.
We are not maintaining a list of subscribers. We are mailing administrators for domains that have infected hosts. These mailings are totally driven by the Code Red event. There is no list to be removed from. The best way to avoid getting the messages from us (or other people, for that matter) is to ensure that the patches are applied, and that you can no longer be infected by Code Red.

Q: How do I reach a human?

A: The codered@securityfocus.com address is being monitored by a human, however during one of these mailings it gets quite backed up. If you require assistance, and would like a response sooner rather than later, please mail aris-report@securityfocus.com .

Thank you,

The SecurityFocus ARIS Analyst Team aris-report@securityfocus.com

--
Kustodenforum: Liste fuer den Meinungsaustausch von Kustoden
an osterreichischen Schulen.
Diese Liste wird vom Computer Communications Club (http://www.ccc.at) betrieben. Um sich aus der Liste austragen zu lassen, senden Sie ein e-mail an majordomo@ccc.at mit dem Befehl "unsubscribe kustodenforum" im Nachrichtentext.