CodeRedI III analysis in short (and disassembly available)

eEye.com have done an analysis of the new worm that calls itself CodeRedII ( which is actually Code Red III - because there was already a Code Red two variant on the Code Red I worm ) - it is 3.8k in size and contains a 1.6k trojan saved to d:explorer.exe, as well as copying cmd.exe to two cgi directories! I have done an analysis, too, but only of the main worm (not of the trojan).

The main worm has a new randomizer: If the IP of the infected host is 12.34.56.78, 12.5% of the targets will be random from 1-254.1-254.1-254.1-254 (without 27.../224...), but 37.5% will be in 12.34.56.1-254 (without the host itself) and 50% will be in 12.34.1-254.1-254 (again without the host itself)....

CodeRedII is quite optimized for size (the trojan not) and seems to be made by a different author. If LangID is Chinese (0x404 or 0x804, thanks to eEye for looking up those numbers), it will
double infection speed from normal 300 every 1/10sec.

One of the 300/600 threads will do the trojan dropping and cmd.exe to root.exe copying, then wait for 1 or 2 days (2 if Chinese) and
reboot the system. If date is Sep/2001 or later, every thread will shut down or reboot the infected host, kind of a self destruct function.

There is no dDoS inside this one (except the "Chinese speedup"),
but opening a SYSTEM backdoor and flooding the local subnet is
annoying enough!

(comment by myself, Eric Auer, but see
eeye.com
for a better analysis :-))