Users login

Create an account »


Users login

Home » Hacking News » Code Blue has been released. Whats next? Code Pokadotted pink

Code Blue has been released. Whats next? Code Pokadotted pink

by Majik on September 9th, 2001 Virus experts today confirmed the existence of Code Blue, the latest Internet worm to target unpatched Microsoft Webservers.

The new worm, which does not appear to be spreading rapidly, exploits a nearly year-old flaw in Microsoft's Internet Information Server (IIS) software known as the Web Server Folder Traversal vulnerability, according to an analysis of the code published today by major US-based virus researchers.

A patch that was released by Microsoft in August 2000 for a different vulnerability provides complete protection against the vulnerability exploited by Code Blue, according to Microsoft.

Besides attempting to propagate to other vulnerable IIS systems, the new worm performs a denial of service attack for one hour each day on the Web site of NSFOCUS, a Chinese security firm.

While Microsoft credited a security consultant known as "Rain Forest Puppy" for reporting the IIS vulnerability to Microsoft, NSFOCUS released an advisory of its own three days later with slightly different information on how to exploit the flaw. NSFOCUS has also discovered several other security flaws in IIS and Windows 9x.

NSFOCUS representatives were not immediately available for comment.

When an infected system attempts to propagate to other Internet servers, it will send a "Get" request to the target's port 80. If vulnerable, the target system will make an FTP connection to the attacking machine and retrieve and execute a malicious file called HTTPEXT.DLL.

When it infects a server already afflicted with Code Red, the new worm terminates an application required by Code Red. The worm also makes changes to the server's processing of HTTP requests to make it invulnerable to Code Red infections in the future, according to anti-virus software vendor Kaspersky Labs.

Security experts say cleaning up a Code Blue infection is relatively easy and consists of deleting several files and a registry entry created by the worm.

While Kaspersky Labs said it has received several reports of infections by Code Blue, other vendors, including Symantec, Network Associates, and Trend Micro, said the worm is not in the wild and they have received no customer reports.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »