AUS-CITY Forums Computers & Software Security Bulletins and Virus Alerts W32/CodeBlue.worm

Who's Online Now

0 members (), 588 guests, and 28 robots.

Key: Admin, Global Mod, Mod

ShoutChat

Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.

KSC PAD 39A

KSC PAD 39B

TLE DATA

IDB.COM.AU
For all your TLE downloads.

May
S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Today's Birthdays

There are no members with birthdays on this day.

AUS-CITY Recent Posts

Josh Brolin Talks Missing Out On Reprising Cable For Deadpool And Wolverine: ‘I So Wanted To Be In That Movie’
by Webmaster - Wed 01 May 2024 01:05:AM

Ahead Of FBI: International Losing Luke Kleintank, Here Are 6 Ways Forrester Could Leave The Fly Team
by Webmaster - Wed 01 May 2024 12:57:AM

Despite Hits Like Heartstopper, LGBTQ+ Representation On Television Is Actually Decreasing For The Second Year In A Row
by Webmaster - Wed 01 May 2024 12:20:AM

'Like Working In 10-D. You’re Tripping': If You've Ever Wondered What Filming With Robert Downey Jr Is Like, Jake Gyllenhaal Has You Covered
by Webmaster - Wed 01 May 2024 12:06:AM

I Think This Week’s Below Deck Episode Is Further Proof That Boat Romances Are Not A Good Idea
by Webmaster - Tue 30 Apr 2024 11:39:PM

‘It's Just Such A Strange Thing’: Ryan Gosling Talks How Weird It Was Having So Many Stunt-Double Lookalikes On The Fall Guy
by Webmaster - Tue 30 Apr 2024 11:18:PM

Will Lopez Vs. Lopez Return For Season 3 Following Season 2 Finale? Here's What We Know About NBC's Comedy Slate
by Webmaster - Tue 30 Apr 2024 10:59:PM

Disneyland Is Politely Tying To Crack Down On An Annoying Trend, And It's About Time
by Webmaster - Tue 30 Apr 2024 10:34:PM

Is CBS' FBI Losing Maggie After Season 6? I'm Not Too Worried After What Missy Peregrym Told Us
by Webmaster - Tue 30 Apr 2024 10:11:PM

Chris Pine Reveals His Favorite Memes Of Himself, And His Answers Rock!
by Webmaster - Tue 30 Apr 2024 09:41:PM

AUS-CITY Latest Photos

Art By MA
by Alisa, July 27

"5greenheart" by MA
by Alisa, July 27

"3moons" by MA
by Alisa, July 27

Art By MA
by Alisa, July 27

Popular Topics(Views)

4,734,388 The most hated Government Department

3,121,683 UBI, Updates and the rest :-)

840,087 Access to new forum UBI and PBS Private

699,556 CYPRUS SAT ON AIR CH60

519,180 What can we expect of TV Plus ?

510,938 Department of Child Safety's most shameful office

432,331 UBI vs DigiTurk - Turkish Package Changes

346,427 TARBS WAS SCREWED!!!!

339,738 Moderate 4.4 quake hits near Gisborne, Gisborne District, New Zealand

325,575 aussiefrogs.com offline

AUS-CITY Earthquake Map

AUS-CITY Advertisements

Print Thread

Rate Thread

W32/CodeBlue.worm #27929 Sun 09 Sep 2001 09:08:AM
Joined: Feb 2001 Posts: 3,536 Ontario, Canada VA3DBJ OP Mission Commander
OP VA3DBJ Mission Commander Joined: Feb 2001 Posts: 3,536 Ontario, Canada	Virus Information:<BR>Date Discovered: 9/7/01<BR>Date Added: 9/7/01<BR>Origin: Unknown<BR>Length: 46,587 (dll) 28,672 (exe) 14,336 (pack)<BR>Type: Virus<BR>SubType: Internet Worm<BR>DAT Required: 4159<P>This threat is not considered to be in the wild.<P>This worm infects Windows NT/2000 systems that are running Microsoft's IIS server software.<P>W32/CodeBlue.worm is not that similar to W32/CodeRed.worm. Unlike CodeRed, it writes files to the hard disk, causes its victim's machine to make a pull request to infect (rather than pushing itself down to that machine), and does not use a buffer overflow exploit.<P>W32/CodeBlue.worm targets random IP addresses, looking for systems to infect. It accomplishes the infection by making use of the "Web Server Folder Traversal" Vulnerability.<P>When a vulnerable system is located, a crafted URL is sent to that IP address which initiates an FTP get request on the remote machine. This causes it to download the file HTTPEXT.DLL into an IIS folder with execute rights (scripts, msadc, iisadmin, _vti_bin, iissamples, iishelp, or webpub). This allows the worm to execute this .DLL via a URL request. Once this request has been made, the DLL drops the file C:\SVCHOST.EXE (note: their is a valid SVCHOST.EXE file in the SYSTEM32 directory) and creates a registry run key to load itself at startup:<P>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\<BR>CurrentVersion\Run\Domain Manager=c:\svchost.exe<P>The SVCHOST.EXE file drops a VBScript (C:\D.VBS), calls it, and then deletes it. The script removes the IIS service mappings .IDA, .IDQ, and .PRINTER.<P>Finally, if the time is between 10am - 11am the worm will initiate a denial of service attack against a website in China.<P>Indications Of Infection:<P>Presence of HTTPEXT.DLL on the system and C:\SVCHOST.EXE (28,672 bytes long or 14,336 [packed])<P>Removal Instructions:<P> * Use specified engine and data files for detection and removal.<BR> * Apply the Microsoft patch for the "Web Server Folder Traversal" Vulnerability.<BR> * If desired, restore the .IDA, .IDQ, and .PRINTERS IIS server mappings.