[NTLUG:Discuss] .--verified?? -oops..sorry. nvr mind!
Richard Geoffrion
richard at rain.lewisville.tx.us
Tue Sep 18 12:43:41 CDT 2001
----- Original Message -----
From: "Richard Geoffrion" <richard at rain.lewisville.tx.us>
To: <discuss at ntlug.org>
Sent: Tuesday, September 18, 2001 12:34 PM
Subject: Re: [NTLUG:Discuss] Next IIS Virus engaged.--verified!
> Win32/BlueCode.Worm
>
> Win32/BlueCode.Worm is an internet worm spread through unpatched Microsoft
> Internet Information Server version 4.0 or 5.0. It exploits an
vulnerability
> of the server described in Microsoft Security Bulletin MS00-078:
>
> (http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp)
>
> Patch is available for download from:
>
> IIS 4.0
>
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
> IIS 5.0
>
http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
>
> Not that this a different than the vulnerability exploited by the Code Red
> worm and that the solution requires applying a different patch than for
Code
> Red.
>
> This vulnerability allows hackers to run executables available on the IIS
> server. The worm starts the attack by sending a malformatted GET request
to
> the web server causing the remote machine to download a malicious dll
named
> HTTPEXT.DLL from exploited server. HTTPEXT.DLL is an ISAPI extension which
> will be loaded by IIS server if requested. The worm then activate the DLL
by
> sending another GET request to the attacked server. The worm's DLL
component
> in turn drops the worm's executable component named SVCHOST.EXE. The
> executable component is registered to be run on Windows restart by adding
> the following key:
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain
> Manager="c:\svchost.exe".
>
> The executable component stopped ".ida, .idq, .printer" services of IIS by
> drop and launch a VBScript named D.VBS to the root of C drive. Between 10
to
> 11 am, the worm searches random IP for IIS server to spread to by sending
> out falformatted GET request.
>
> The worm also launches DoS attack against a network security company in
> China.
>
> Computer Associates did not receive any reports of this worm so far and
> issued this bulletin due to client inquiries. Detection for the files
> created by this worm will be available in eTrust Antivirus / InoculateIT 6
> signature release 23.45.70 (Inoculate 4.x signature 27.70, Vet signature
> 1475) and higer.
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list