Zur Info: Viele Gr��e Alexander Ganz Junior Producer ________________________________________ News Net Informationssysteme GmbH Am Prediger Tor 1 79098 Freiburg Fon: 0761 / 3861 142 Fax: 0761 / 3861 303 Internet: www.news-net.de Email: mailto:[EMAIL PROTECTED] ________________________________________ -----Urspr�ngliche Nachricht----- Von: Birrer Dominic [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 11. September 2001 11:53 An: ASP Datenbankprogrammierung Betreff: [aspdedatabase] IIS4/5: Nachfolger des CodeRed Virus hier: CodeBlue Hallo Zusammen Geh�rt zwar nicht wirklich hierher, aber ich denke das interessiert wirklich alle. Wir wissen ja alle was der CodeRed 1 & 2 angerichtet hatte. Im untenstehenden Text sind die Links f�r die notwendigen Patches. Gruss Dominic BlueCode.Trojan IIS worm (aka Code Blue) Win32/BlueCode.Trojan Win32/BlueCode.Worm is an internet worm spread through unpatched Microsoft Internet Information Server version 4.0 or 5.0. It exploits a vulnerability of the server described in Microsoft Security Bulletin MS00-078: http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp Patch is available for download from: IIS 4.0 http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default .asp IIS 5.0 http://www.microsoft.com/windows2000/downloads/critical/q269862/default. asp Note that this is a different vulnerability than the one exploited by the Code Red worm and that the solution requires applying a different patch than for Code Red. This vulnerability allows hackers to run executables available on the IIS server. The worm starts the attack by sending a malformatted GET request to the web server causing the remote machine to download a malicious dll named HTTPEXT.DLL from exploited server. HTTPEXT.DLL is an ISAPI extension which will be loaded by IIS server if requested. The worm then activates the DLL by sending another GET request to the attacked server. The worm's DLL component in turn drops the worm's executable component named SVCHOST.EXE. The executable component is registered to be run on Windows restart by adding the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain Manager="c:\svchost.exe". The executable component stopped ".ida, .idq, .printer" services of IIS by dropping and launching a VBScript named D.VBS to the root of C drive. In order to propagate, the worm searches random IP addresses for an IIS server to attack by sending out a malformatted GET request. Between 10am to 11am the worm also launches DoS attack against a network security company in China. Computer Associates did not receive any reports of this worm so far and issued this bulletin due to client inquiries. The eTrust InoculateIT signature updates listed below contain detection for the files dropped by this worm (Win32/BlueCode.Trojan, Win32/BlueCode_DLL.Trojan, VBS/BlueCode.Trojan). | [aspdedatabase] als [EMAIL PROTECTED] subscribed | http://www.aspgerman.com/archiv/aspdedatabase/ = Listenarchiv | Sie k�nnen sich unter folgender URL an- und abmelden: | http://www.aspgerman.com/aspgerman/listen/anmelden/aspdedatabase.asp | [aspdedatabase] als [email protected] subscribed | http://www.aspgerman.com/archiv/aspdedatabase/ = Listenarchiv | Sie k�nnen sich unter folgender URL an- und abmelden: | http://www.aspgerman.com/aspgerman/listen/anmelden/aspdedatabase.asp
