CodeBlue, IISWorm_BlueCode, BlueCode, Code Blue


F-Secure have received no reports of this worm from the field.

CodeBlue is the Internet worm targeting Web sites by affecting Internet Information Servers (ISS).


Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more
Knowledge Base

Find the latest advice in our Community Knowledge Base.

Product Manual

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The worm realizes the method of spreading from Web site to other Web sites by sending and executing its EXE file.

The name of the worm files are constant - SVCHOST.EXE and HTTPEXT.DLL. The EXE file is Win32 application (PE EXE file) about 29K of length, written in Microsoft C++. There also was compressed variant discovered, it is about 14K of size.

Note that the worm uses standard Win32 EXE file names. SVCHOST.EXE and HTTPEXT.DLL can be found in standard Win2000 installations in SYSTEM32 subfolder.

The worm infects only machines with installed IIS package and Web site contents. The worm application being run on a such machine locates and infects remote Web sites (remote machines with installed IIS package): it enters them and by using Web Directory Traversal exploit, sends its copy to there, and spawns that copy in there. As a result the worm infects all vlunerable Web servers that can be accessed from current infected machine, and other infected servers spread the worm copy further, e.t.c.

The worm has payload routine that from 10:00am till 11:00am global time performs DoS attack (Deny of Service) on some machine that seems to be somewhere in China.

When installing itself, the worm creates its copies (EXE and DLL) in the root of C: drive - C:\SVCHOST.EXE and C:\HTTPEXT.DLL. This EXE file is then registered in Registry auto-run key:

 Domain Manager = C:\svchost.exe

The worm then creates and swapns C:\D.VBS script file, then looks for INETINFO.EXE application and terminates it, if it is active. The VBS script program also looks to Indexing Service, Indexing Query and printer mapping and removes them.

As a result of above the worm disables security breaches that can be used (or were used) by other worms to infect the machine or/and hackers to break through Web security protections.

To spread further the worm runs 100 threads that scan randomly selected IP addresses and attack them.

In 50% of cases the attacked machines are in the same network, the attacked IP addresses are "", where "" is part of infected machine IP address, "??" are random.

In other 50% attacked addresses are really random.

To attack victim machine the worm uses Web Directory Traversal exploit three times:

1. it tries to determine IIS directory on remote machine,
2. then sends request to remote machine to download DLL

 component of the virus (HTTPEXT.DLL file) from infected one,
3. the last request is to copy that DLL file to C: root directory.

To upload DLL file to victim machine the worm uses "tftp" command, and activates temporary TFTP server on infected (current) machine to process "get data" command from victim (remote) machine.

When DLL file is uploaded to victim machine, it is activated by a trick. So the worm copy starts on remote server, then it drops and executes the EXE component, that then spreads virus futhrer.

Date Created: -

Date Last Modified: -