"Blue code": worm that fights "Code Red" and IIS-servers. (VIRUS NOTES)."Blue Code' is a malicious program, which attacks remote Web-servers operating on Microsoft's Internet Information Server See IIS. (World-Wide Web) Internet Information Server - (IIS) Microsoft's web server and FTP server for Windows NT. IIS is intended to meet the needs of a range of users: from workgroups and departments on a corporate intranet to ISPs hosting websites that receive (IIS (Internet Information Services) Microsoft's Web server. IIS runs under the server versions of Windows, adding HTTP server capability to the Windows operating system. ) platform. At the moment Kaspersky Labs has received several reports of infections by this worm from China. Similar to the notorious "Code Red" worm discovered earlier this year, "Blue Code" attacks IIS-servers. However, to penetrate into target computers this worm exploits the Web Directory Traversal vulnerability in IIS security that was discovered in October 2000. The worm injection procedure consists of three stages. First of all `Blue Code" gains access to the remote computer's hard disk, then uploads there a worm-carrying file from already infected IIS-server and runs this file. The worm-carrying file creates several additional files in the root directory of C drive: SVCHOST.EXE, HTTPEXT HTTPEXT Http Extensions .DLL (1) See data link layer. (2) (Dynamic Link Library) An executable program module in Windows that performs one or more functions at runtime. DLLs are not launched by the user; they are called for by an executable program or by other DLLs. and D.VBS See VBScript. . The first two names are reserved by Windows and belong to the non-malicious programs that are included in Windows 2000/NT standard distribution. In this way the worm tries to disguise its presence on the infected IIS-server. The malicious SVCHOST.EXE is registered in the start-up section of the Windows system registry so the worm will become active each time the computer is rebooted. In turn D.VBS performs several actions that are aimed at removal of active "Code Red" copies from the system memory and creating defence against future "Code Red" attacks. In particular, "Blue Code" locates and terminates INETINFO.EXE Exe (ĕks), river, c.55 mi (90 km) long, rising in the Exmoor, Somerset, SW England, and flowing S across the Cornwall peninsula, past Exeter to the English Channel at Exmouth. application that is responsible for access to the Web-server's resources (this terminates active "Code Red" copies). In addition, the worm changes the processing of specialized HTTP-requests that makes impossible for `Code Red' copies to penetrate to this IIS-server in the future. For further spreading `Blue Code' initiates 100 active threads that scan randomly selected IP-addresses and attempts to plant its copy to the available remote computers. The number of active worm's threads can significantly slow down the infected IIS-server's productivity. The worm also has a payload routine that performs DoS-attack (Denial of Service A condition in which a system can no longer respond to normal requests. See denial of service attack. ) on http://www.nsfocus.com Web-server from 10:00am till 11:00am UTC time. www.kaspersky.com |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion