Virus Characteristics
This worm infects Windows NT/2000 systems that are running Microsoft's IIS server software.
W32/CodeBlue.worm is not that similar to W32/CodeRed.worm. Unlike CodeRed, it writes files to the hard disk, causes its victim's machine to make a pull request to infect (rather than pushing itself down to that machine), and does not use a buffer overflow exploit.
W32/CodeBlue.worm targets random IP addresses, looking for systems to infect. It accomplishes the infection by making use of the "Web Server Folder Traversal" Vulnerability.
When a vulnerable system is located, a crafted URL is sent to that IP address which initiates an FTP get request on the remote machine. This causes it to download the file HTTPEXT.DLL into an IIS folder with execute rights (scripts, msadc, iisadmin, _vti_bin, iissamples, iishelp, or webpub). This allows the worm to execute this .DLL via a URL request. Once this request has been made, the DLL drops the file C:\SVCHOST.EXE (note: their is a valid SVCHOST.EXE file in the SYSTEM32 directory) and creates a registry run key to load itself at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Domain Manager=c:\svchost.exe
The SVCHOST.EXE file drops a VBScript (C:\D.VBS), calls it, and then deletes it. The script removes the IIS service mappings .IDA, .IDQ, and .PRINTER.
Finally, if the time is between 10am - 11am the worm will initiate a denial of service attack against a website in China.