wiredfool

There’s a new IIS virus making the rounds that’s hammering my frontier servers with close to one request per second. This is bordering on a denial of service attack.

I’ve hacked up a responder from the hello world example that just delays, increments a counter, and returns an error. It does not log, it does not go through mainresponder. It matches any request to the “www” host, which appears to be what the worm is targeting. (so this worm is http 1.1 compliant, where the previous code red was http 1.0) I’m calling this code red 4, since it appears to have the same spreading pattern.

Update: Apparently the virus is called nimda. more

Download from:

http://updates.wiredfool.com/responders.codeRed4.fttb
or (backup)
http://www.soroos.net/responders.codeRed4.fttb

Installation:

This is a fttb file, otherwise known as a fat page. If it appears in your browser window, save the source to your hard drive, then open it in Frontier. Frontier will ask you where you want to install the file, the default is fine. Once it’s loaded, it will be inserted in the responder queue, where it will handle the virus requests.