Home / malware CodeBlue
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for CodeBlue.
Explanation :
This is an IIS Worm that uses the IIS directory traversal exploit for spreading. The Worm sends a malformed GET request to the target server. This allows it to download an IIS extension named httpex.dll to that server. After that it sends a GET command on the same server in this way allowing the already downloaded extension to execute and take control. The installed extension will drop the virus in c:\svchost.exe and it will execute it.
The svchost.exe file will create a registry key in:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
named Domain Manager with the value c:svchost.exe. In this way it will be executed at every startup.
The exe file creates 100 threads that open 100 different ports for UDP connections. After that drops a vbs file named c:d.vbs that disables the .ida, .idc, .printer services. The virus will search for the inetinfo.exe process, and if it founds it will try to terminate it.
Every thread it will check for current system time and if it is between 10AM and 11AM it will try to make a DoS attack on the host 211.99.196.135 (www.nsfocus.com). If the current time is not in this period it will try to spread itself searching for vulnerable servers. The IP for searching servers is randomly generated. The way of infecting servers is the same as it came on already infected computer.Last update 21 November 2011