F-Secure have received no reports of this worm from the field.
CodeBlue is the Internet worm targeting Web sites by affecting Internet Information Servers (ISS).
Disinfection & Removal
The worm realizes the method of spreading from Web site to other Web sites by sending and executing its EXE file.
The name of the worm files are constant - SVCHOST.EXE and HTTPEXT.DLL. The EXE file is Win32 application (PE EXE file) about 29K of length, written in Microsoft C++. There also was compressed variant discovered, it is about 14K of size.
Note that the worm uses standard Win32 EXE file names. SVCHOST.EXE and HTTPEXT.DLL can be found in standard Win2000 installations in SYSTEM32 subfolder.
The worm infects only machines with installed IIS package and Web site contents. The worm application being run on a such machine locates and infects remote Web sites (remote machines with installed IIS package): it enters them and by using Web Directory Traversal exploit, sends its copy to there, and spawns that copy in there. As a result the worm infects all vlunerable Web servers that can be accessed from current infected machine, and other infected servers spread the worm copy further, e.t.c.
The worm has payload routine that from 10:00am till 11:00am global time performs DoS attack (Deny of Service) on some machine that seems to be somewhere in China.
When installing itself, the worm creates its copies (EXE and DLL) in the root of C: drive - C:\SVCHOST.EXE and C:\HTTPEXT.DLL. This EXE file is then registered in Registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Domain Manager = C:\svchost.exe
The worm then creates and swapns C:\D.VBS script file, then looks for INETINFO.EXE application and terminates it, if it is active. The VBS script program also looks to Indexing Service, Indexing Query and printer mapping and removes them.
As a result of above the worm disables security breaches that can be used (or were used) by other worms to infect the machine or/and hackers to break through Web security protections.
To spread further the worm runs 100 threads that scan randomly selected IP addresses and attack them.
In 50% of cases the attacked machines are in the same network, the attacked IP addresses are "aa.bb.??.??", where "aa.bb" is part of infected machine IP address, "??" are random.
In other 50% attacked addresses are really random.
To attack victim machine the worm uses Web Directory Traversal exploit three times:
1. it tries to determine IIS directory on remote machine, 2. then sends request to remote machine to download DLL component of the virus (HTTPEXT.DLL file) from infected one, 3. the last request is to copy that DLL file to C: root directory.
To upload DLL file to victim machine the worm uses "tftp" command, and activates temporary TFTP server on infected (current) machine to process "get data" command from victim (remote) machine.
When DLL file is uploaded to victim machine, it is activated by a trick. So the worm copy starts on remote server, then it drops and executes the EXE component, that then spreads virus futhrer.
Technical Details: Eugene Kaspersky; Kaspersky Labs, September 2001