[NEWS] "Blue Code": Worm That Fights "Code Red" and IIS-Servers

From: support@securiteam.com
Date: 09/09/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] "Blue Code": Worm That Fights "Code Red" and IIS-Servers 
Message-Id: <20010909183117.820D9138C0@mail.der-keiler.de>
Date: Sun,  9 Sep 2001 20:31:17 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  "Blue Code": Worm That Fights "Code Red" and IIS-Servers
------------------------------------------------------------------------

SUMMARY

Kaspersky Labs, an international data-security software developer, reports
the discovery of "Blue Code" - a new malicious program, which attacks
remote Web-servers operating on Microsoft's Internet Information Server
(IIS) platform. At the moment Kaspersky Labs has received several reports
of infections by this worm from China. The following is a preliminary
analysis of the worm.

DETAILS

Similar to the notorious "Code Red" worm discovered earlier this year,
"Blue Code" attacks IIS-servers. However, to penetrate into target
computers this worm exploits the
<http://www.securiteam.com/windowsntfocus/6U00B2000A.html> Web Directory
Traversal vulnerability in IIS security that was discovered in October
2000. The worm injection procedure consists of three stages. First of all
"Blue Code" gains access to the remote computer's hard disk, then uploads
there a worm-carrying file from already infected IIS-server and runs this
file.
The worm-carrying file creates several additional files in the root
directory of C drive: SVCHOST.EXE, HTTPEXT.DLL and D.VBS. The first two
names are reserved by Windows and belong to the non-malicious programs
that are included in Windows 2000/NT standard distribution. In this way
the worm tries to disguise its presence on the infected IIS-server. The
malicious SVCHOST.EXE is registered in the start-up section of the Windows
system registry so the worm will become active each time the computer is
rebooted.
In turn, D.VBS performs several actions that are aimed at removal of
active "Code Red" copies from the system memory and creating defense
against future "Code Red" attacks. In particular, "Blue Code" locates and
terminates INETINFO.EXE application that is responsible for access to the
Web-server's resources (this terminates active "Code Red" copies). In
addition, the worm changes the processing of specialized HTTP-requests
that makes impossible for "Code Red" copies to penetrate to this
IIS-server in the future.

For further spreading "Blue Code" initiates 100 active threads that scan
randomly selected IP-addresses and attempts to plant its copy to the
available remote computers. The number of active worm's threads can
significantly slow down the infected IIS-server's productivity.

The worm also has a payload routine that performs DoS-attack (Denial of
Service) on http://www.nsfocus.com Web-server from 10:00am until 11:00am
UTC time.

ADDITIONAL INFORMATION

The information has been provided by <mailto:denis@kaspersky.com> Denis
Zenkin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.