[NTLUG:Discuss] Next IIS Virus engaged.--verified!
Richard Geoffrion
richard at rain.lewisville.tx.us
Tue Sep 18 12:34:39 CDT 2001
Win32/BlueCode.Worm
Win32/BlueCode.Worm is an internet worm spread through unpatched Microsoft
Internet Information Server version 4.0 or 5.0. It exploits an vulnerability
of the server described in Microsoft Security Bulletin MS00-078:
(http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp)
Patch is available for download from:
IIS 4.0
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
IIS 5.0
http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
Not that this a different than the vulnerability exploited by the Code Red
worm and that the solution requires applying a different patch than for Code
Red.
This vulnerability allows hackers to run executables available on the IIS
server. The worm starts the attack by sending a malformatted GET request to
the web server causing the remote machine to download a malicious dll named
HTTPEXT.DLL from exploited server. HTTPEXT.DLL is an ISAPI extension which
will be loaded by IIS server if requested. The worm then activate the DLL by
sending another GET request to the attacked server. The worm's DLL component
in turn drops the worm's executable component named SVCHOST.EXE. The
executable component is registered to be run on Windows restart by adding
the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain
Manager="c:\svchost.exe".
The executable component stopped ".ida, .idq, .printer" services of IIS by
drop and launch a VBScript named D.VBS to the root of C drive. Between 10 to
11 am, the worm searches random IP for IIS server to spread to by sending
out falformatted GET request.
The worm also launches DoS attack against a network security company in
China.
Computer Associates did not receive any reports of this worm so far and
issued this bulletin due to client inquiries. Detection for the files
created by this worm will be available in eTrust Antivirus / InoculateIT 6
signature release 23.45.70 (Inoculate 4.x signature 27.70, Vet signature
1475) and higer.
More information about the Discuss
mailing list