F-Secure have received no reports of this worm from the field.
CodeBlue is the Internet worm targeting Web sites by affecting
Internet Information Servers (ISS). The worm realizes the method
of spreading from Web site to other Web sites by sending and
executing its EXE file.
The name of the worm files are constant - SVCHOST.EXE and
HTTPEXT.DLL. The EXE file is Win32 application (PE EXE file)
about 29K of length, written in Microsoft C++. There also was
compressed variant discovered, it is about 14K of size.
Note that the worm uses standard Win32 EXE file names.
SVCHOST.EXE and HTTPEXT.DLL can be found in standard Win2000
installations in SYSTEM32 subfolder.
The worm infects only machines with installed IIS package and Web
site contents. The worm application being run on a such machine
locates and infects remote Web sites (remote machines with
installed IIS package): it enters them and by using Web Directory
Traversal exploit, sends its copy to there, and spawns that copy
in there. As a result the worm infects all vlunerable Web servers
that can be accessed from current infected machine, and other
infected servers spread the worm copy further, e.t.c.
The worm has payload routine that from 10:00am till 11:00am
global time performs DoS attack (Deny of Service) on some machine
that seems to be somewhere in China.
When installing itself, the worm creates its copies (EXE and DLL)
in the root of C: drive - C:\SVCHOST.EXE and C:\HTTPEXT.DLL. This
EXE file is then registered in Registry auto-run key:
The worm then creates and swapns C:\D.VBS script file, then looks
for INETINFO.EXE application and terminates it, if it is active.
The VBS script program also looks to Indexing Service, Indexing
Query and printer mapping and removes them.
As a result of above the worm disables security breaches that can
be used (or were used) by other worms to infect the machine
or/and hackers to break through Web security protections.
To spread further the worm runs 100 threads that scan randomly
selected IP addresses and attack them.
In 50% of cases the attacked machines are in the same network,
the attacked IP addresses are "aa.bb.??.??", where "aa.bb" is
part of infected machine IP address, "??" are random.
In other 50% attacked addresses are really random.
To attack victim machine the worm uses Web Directory Traversal
exploit three times:
1. it tries to determine IIS directory on remote machine,
2. then sends request to remote machine to download DLL
component of the virus (HTTPEXT.DLL file) from infected one,
3. the last request is to copy that DLL file to C: root directory.
To upload DLL file to victim machine the worm uses "tftp"
command, and activates temporary TFTP server on infected
(current) machine to process "get data" command from victim
(remote) machine.
When DLL file is uploaded to victim machine, it is activated by a
trick. So the worm copy starts on remote server, then it drops
and executes the EXE component, that then spreads virus futhrer.
[Analysis: Eugene Kaspersky; Kaspersky Labs, September 2001]
![](/images/pixel.gif"){kind=tracking}
