My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

CodeBlue

VERY LOW
MEDIUM
14336 bytes (compressed with UPX)
(CodeBlue)

Symptoms

- The presence of the svchost.exe file in the root directory;
- The following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain Manager with the value c:\svchost.exe;

Removal instructions:

1. Make sure that you have the latest updates using BitDefender Live!;

2. Make the following changes in the windows registry;

Please make sure to modify only the values that are specified. It is also recommended to backup the Windows Registry before proceeding with these changes.
a) Select Run... from the Start menu, then type regedit and press Enter;
b) Delete following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain Manager

3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with CodeBlue

4. Reboot the computer or manually restart all the processes killed by the virus.

Analyzed By

Sorin Victor Dudea BitDefender Virus Researcher

Technical Description:

This is an IIS Worm that uses the IIS directory traversal exploit for spreading. The Worm sends a malformed GET request to the target server. This allows it to download an IIS extension named httpex.dll to that server. After that it sends a GET command on the same server in this way allowing the already downloaded extension to execute and take control. The installed extension will drop the virus in c:\\svchost.exe and it will execute it.

The svchost.exe file will create a registry key in:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
named Domain Manager with the value c:\svchost.exe. In this way it will be executed at every startup.

The exe file creates 100 threads that open 100 different ports for UDP connections. After that drops a vbs file named c:\d.vbs that disables the .ida, .idc, .printer services. The virus will search for the inetinfo.exe process, and if it founds it will try to terminate it.

Every thread it will check for current system time and if it is between 10AM and 11AM it will try to make a DoS attack on the host 211.99.196.135 (www.nsfocus.com). If the current time is not in this period it will try to spread itself searching for vulnerable servers. The IP for searching servers is randomly generated. The way of infecting servers is the same as it came on already infected computer.