Exploited vulnerability The worm showed a vulnerability in software distributed with IIS, described in Microsoft Security Bulletin MS01-033 (CVE-2001-0500), for which a patch had become available a month earlier. The worm spread itself using a common type of vulnerability known as a
buffer overflow. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the
White House for his discovery.
Worm payload The payload of the worm included: •
Defacing the affected web site to display: HELLO! Welcome to http://www.worm.com ! Hacked By Chinese! • Other activities based on the day of the month: • Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet. • Days 20–27: Launch
denial of service attacks on several fixed
IP addresses. The IP address of the
White House web server was among these. • Days 28-end of month: Sleeps, no active attacks. When scanning for vulnerable machines, the worm did not test whether the server running on a remote machine was running a vulnerable version of IIS, or even whether it was running IIS at all.
Apache access logs from this time frequently had entries such as these: The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm. ==Similar worms==