0 members (),
588
guests, and
28
robots. |
Key:
Admin,
Global Mod,
Mod
|
S |
M |
T |
W |
T |
F |
S |
|
|
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
30
|
31
|
|
There are no members with birthdays on this day. |
#27929
Sun 09 Sep 2001 09:08:AM
|
Joined: Feb 2001
Posts: 3,536
Mission Commander
|
OP
Mission Commander
Joined: Feb 2001
Posts: 3,536 |
Virus Information:<BR>Date Discovered: 9/7/01<BR>Date Added: 9/7/01<BR>Origin: Unknown<BR>Length: 46,587 (dll) 28,672 (exe) 14,336 (pack)<BR>Type: Virus<BR>SubType: Internet Worm<BR>DAT Required: 4159<P>This threat is not considered to be in the wild.<P>This worm infects Windows NT/2000 systems that are running Microsoft's IIS server software.<P>W32/CodeBlue.worm is not that similar to W32/CodeRed.worm. Unlike CodeRed, it writes files to the hard disk, causes its victim's machine to make a pull request to infect (rather than pushing itself down to that machine), and does not use a buffer overflow exploit.<P>W32/CodeBlue.worm targets random IP addresses, looking for systems to infect. It accomplishes the infection by making use of the "Web Server Folder Traversal" Vulnerability.<P>When a vulnerable system is located, a crafted URL is sent to that IP address which initiates an FTP get request on the remote machine. This causes it to download the file HTTPEXT.DLL into an IIS folder with execute rights (scripts, msadc, iisadmin, _vti_bin, iissamples, iishelp, or webpub). This allows the worm to execute this .DLL via a URL request. Once this request has been made, the DLL drops the file C:\SVCHOST.EXE (note: their is a valid SVCHOST.EXE file in the SYSTEM32 directory) and creates a registry run key to load itself at startup:<P>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\<BR>CurrentVersion\Run\Domain Manager=c:\svchost.exe<P>The SVCHOST.EXE file drops a VBScript (C:\D.VBS), calls it, and then deletes it. The script removes the IIS service mappings .IDA, .IDQ, and .PRINTER.<P>Finally, if the time is between 10am - 11am the worm will initiate a denial of service attack against a website in China.<P>Indications Of Infection:<P>Presence of HTTPEXT.DLL on the system and C:\SVCHOST.EXE (28,672 bytes long or 14,336 [packed])<P>Removal Instructions:<P> * Use specified engine and data files for detection and removal.<BR> * Apply the Microsoft patch for the "Web Server Folder Traversal" Vulnerability.<BR> * If desired, restore the .IDA, .IDQ, and .PRINTERS IIS server mappings.
|
|
CMS The Best Conveyancing solicitors conveyancing quotes throughout the UK
For any webhosting enquiries please email webmaster@aus-city.com
|
Forums60
Topics684,791
Posts719,402
Members2,957
|
Most Online3,142 Jan 16th, 2023
|
|
|