Skip navigation.


info: 4039 Jul 16 2001 codered.exe
md5sum: 6f5767ec5a9cc6f7d195dde3c3939120 codered.exe
sha1sum: 4605a2d0aae8fa5ec0b72973bea928762cc6d002 codered.exe

Threat: CodeRed Worm
File: C:\malware\codered.exe
Date found: Tuesday, December 13, 2005 8:57:29 PM

Links are broken.

Use this:

Note: This is a TCP stream dump, not an .EXE

This isn't actually an MZ .exe or anything. It's the IIS Unicode buffer-overflow-whatever-explosion-thingy attack. That jumps into the following shellcode/wormcode. (I've lost track of all of the exploits surrounding IIS and Unicode.) eEye wrote up a pretty good analysis of this, if I remember. This one, and "Code Red ver.2". I'll paste the URLs here later so save people the trouble of looking it up.
Now that I think about it... eEye has samples of each worm up on their web site. And to my naked eye, I think that they're identical to this one. Only not named "codered.EXE".

By the way, I don't recommend anyone doing this but, if you need to revive this worm for testing/analysis, just do:

zcat | nc 80