Re: Code Blue

From: Xno Xutz (xnoxutz@yahoo.com)
Date: 09/10/01

• Previous message: stefmit@starband.net: "Re: Code Blue"
• Maybe in reply to: Rene Fehlmann: "Code Blue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <20010910195038.15396.qmail@web20110.mail.yahoo.com>
Date: Mon, 10 Sep 2001 12:50:38 -0700 (PDT)
From: Xno Xutz <xnoxutz@yahoo.com>
Subject: Re: Code Blue
To: FOCUS-MS@SECURITYFOCUS.COM

Hi,

I'm quoting "Handlers Diary" from "Vick Irwin" at
"intrusions@incidents.org":

====================================================================
Code Blue Worm
---------------
Kaspersky Labs has released an advisory concerning a
worm called
"Code Blue" that was discovered in China last week.
Code Blue attacks
IIS servers, using the Web Directory Traversal
Vulnerability (MS00-78)
to upload new code to a victim server and run it. The
worm creates the
files SVCHOST.EXE, HTTPEXT.DLL, and D.VBS in the
victims's root C:
directory, and modifies the system registry so that
the malicious
SVCHOST.EXE is launched whenever the machine is
booted.

If necessary, the D.VBS script removes Code Red from
the system and
immunizes the server against further Code Red
infections. In order to
propagate, Code Blue spawns 100 threads and scans
random IP addresses
to find new victims. The worm also attempts to effect
a DoS attack against
www.nsfocus.com between 10:00 and 11:00 UTC.
Interestingly, NSFocus (the
would-be victim of the DoS), is the security firm that
originally discovered
the Web Directory Traversal Vulnerability used by the
worm.

The Kapersky Labs Code Blue Advisory:
http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=228&page=0

NSFocus' Advisory on the Web Directory Traversal
Vulnerabilty:
http://www.nsfocus.com/english/homepage/sa_06.htm

Details on the Directory Traversal Vulnerability from
Microsoft:
http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp

News Articles on Code Blue:
http://www.pcworld.com/news/article/0,aid,61163,tk,dn090701X,00.asp
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2811108,00.html
http://news.cnet.com/news/0-1003-200-7086783.html?tag=lh

================================================================

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

---

• Previous message: stefmit@starband.net: "Re: Code Blue"
• Maybe in reply to: Rene Fehlmann: "Code Blue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Code Blue ... Subject: Code Blue ... The Patch for "Web Server Folder Traversal" Vulnerability that ... Chinese officials are reporting a new worm similar to Code Red that slows ... (Focus-Microsoft) Any one seen any evidence of "Code Blue?" ... Why have I not seen anything on this list about the "Code Blue" worm? ... I submit the following web server access log as a possible candidate based ... it matches with the reported infection method: ... (Incidents) RE: Code Blue ... Subject: Code Blue ... I found a link on www.iduba.net/resources (I lost the rest of the URL) that ... The site includes a link to a tool to kill the worm (I think - ... If someone can either translate the native language page or make good sense ... (Focus-Microsoft) Re: Any one seen any evidence of "Code Blue?" ... Any one seen any evidence of "Code Blue?" ... >Why have I not seen anything on this list about the "Code Blue" ... >Blue" worm: ... "Segurança em TI - uma especialidade Cipher Technology" ... (Incidents) Re: Any Practical Joker or Benign Viruses Out There? ... David H. Lipman wrote: ... > And when did the author tell you how the worm was designed to be ... I do recall similar problems with "Code Blue" a little while ago ... (microsoft.public.security.virus)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)