Malware profile by Hendrik Griem-Altendorff and Paul Kobow
| Virus | Worm | Trojan | Ransomware | Botnet | Other |
|---|---|---|---|---|---|
| ✔️ |
- Year: 2001 [1]
- Author: unknown
- Language: unknown
- Infections: > 359.000 within 14 hours [1]
- Damage: None (Wake-Up-Call) [1]
Version 1
On July 12, 2001, a worm began to exploit the aforementioned buffer-overflow vulnerability in Microsoft's IIS webservers. Upon infecting a machine, the worm checks to see if the date (as kept by the system clock) is between the first and the nineteenth of the month. If so, the worm generates a random list of IP addresses and probes each machine on the list in an attempt to infect as many computers as possible. However, this first version of the worm uses a static seed in its random number generator and thus generates identical lists of IP addresses on each infected machine. The first version of the worm spread slowly, because each infected machine began to spread the worm by probing machines that were either infected or impregnable. The worm is programmed to stop infecting other machines on the 20th of every month. In its next attack phase, the worm launches a Denial-of-Service attack against www1.whitehouse.gov from the 20th-28th of each month. [1]
Version 2 Is identical to Version 1 but had an improved random-number Generator. Therefore it was much more efficient.