Rebel79
09-13-2001, 04:22 PM
Just got this confidential e-mail from my work:
The Code Blue Worm and pose a threat to Internet users.
This new worm attacks Windows NT and 2000 machines running IIS. It obtains
access to a remote server using the IIS Web Directory Traversal exploit also
known as the Unicode Web Traversal IIS exploit. Upon execution, this worm
creates 100 threads or copies of itself, and for its payload, each of these
threads carries out a Denial of Service (DoS) attack on a certain server.
For the worm's propagation routine, each worm thread generates a random IP
address and then checks for the presence of IIS server in the intended
machine. Infection is accomplished in three steps using the IIS Web
Directory Traversal exploit. This worm has several components which detected
as TROJ_BLUECODE.A and VBS_BLUECODE.A. It drops a Worm carrier that hides as
a standard IIS DLL application HTTPEXT.DLL. This worm carrier can be found
in either the root directory "C:\HTTPEXT.DLL" of the infected system or in
the virtual directory "C:\Inetpub\Scripts\HTTPEXT.DLL". This component does
not contain a destructive payload; it simply serves as a main worm carrier
and dropper.
The Code Red patch does not apply to this vulnerability.
This IIS vulnerability was first reported Oct 2000, all IIS servers should
be have been patched accordingly. Due to the increased media attention
please make sure all IIS severs are patched appropriately. (NOTE: Please
evaluate and ensure adequate testing is performed BEFORE you apply any
patches to systems.)
The patch is available at Microsoft Security:
IIS 4.0 http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
IIS5.0 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
The IIS 4.0 patch can be installed on systems running Windows NT(r) 4.0
Service Packs 5 and 6a.
The IIS 5.0 patch can be installed on systems running either Windows(r) 2000
or Service Pack 1. It will be included in Windows 2000 Service Pack 2.
The Code Blue Worm and pose a threat to Internet users.
This new worm attacks Windows NT and 2000 machines running IIS. It obtains
access to a remote server using the IIS Web Directory Traversal exploit also
known as the Unicode Web Traversal IIS exploit. Upon execution, this worm
creates 100 threads or copies of itself, and for its payload, each of these
threads carries out a Denial of Service (DoS) attack on a certain server.
For the worm's propagation routine, each worm thread generates a random IP
address and then checks for the presence of IIS server in the intended
machine. Infection is accomplished in three steps using the IIS Web
Directory Traversal exploit. This worm has several components which detected
as TROJ_BLUECODE.A and VBS_BLUECODE.A. It drops a Worm carrier that hides as
a standard IIS DLL application HTTPEXT.DLL. This worm carrier can be found
in either the root directory "C:\HTTPEXT.DLL" of the infected system or in
the virtual directory "C:\Inetpub\Scripts\HTTPEXT.DLL". This component does
not contain a destructive payload; it simply serves as a main worm carrier
and dropper.
The Code Red patch does not apply to this vulnerability.
This IIS vulnerability was first reported Oct 2000, all IIS servers should
be have been patched accordingly. Due to the increased media attention
please make sure all IIS severs are patched appropriately. (NOTE: Please
evaluate and ensure adequate testing is performed BEFORE you apply any
patches to systems.)
The patch is available at Microsoft Security:
IIS 4.0 http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
IIS5.0 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
The IIS 4.0 patch can be installed on systems running Windows NT(r) 4.0
Service Packs 5 and 6a.
The IIS 5.0 patch can be installed on systems running either Windows(r) 2000
or Service Pack 1. It will be included in Windows 2000 Service Pack 2.