binary payload packets to see whether it has been mutated... Last night Symantec were saying the only way it would start again is if it was reinjected into the Network. According to Symantec (yesterday) the original version was coded to permanently hibernate - so if we are receiving probes again it must mean someone has put it back in the wild... If so it may be a different beast...
Check out some of the code red analysis sites. They showed that code red was still probing even during the "dormancy phase" from some servers that had their system clocks set wrong. (Thusly making code red thing it was still the 8th or whatever on those machines). They predicted that servers that were still hacked and had system times set wrong would re-inject the worm into the internet when the rest of the correctly set clocks clicked round to the 1st. It appears that this is what has happened.. There amy indeed be unkown mutated versions out there but as far as I know there is only crv1 crv2a and crv2b All this information can be seen in the Code Red FAQ at http://www.incidents.org/react/code_red.php Chris Rigby Senior Systems Engineer IHUG - Into the Internet --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog