Aliases: W32.CodeBlue
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: dormant
Spreading: moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Sep 2001
Damage: medium

Characteristics: The W32.BlueCode.Worm program focuses on website that taints Information Servers (ISS).

More details about W32.BlueCode.Worm

This worm allegedly uses .exe file types in order for it to spread from website to website. The program files of this worm are named as SVCHOST.EXE and HTTPEXT.DLL. So if you see these files, there maybe a possibility of the virus already present in your system. This virus uses IIS Web Directory Traversal exploit. It is said to run and infect on Windows NT and 2000 using Unicode. This virus is actually a program that automatically copies itself and spread itself to other system and another system. This virus just continuously spreads and does not contain any payloads. This is also known as “IIS-Worm.bluecode (AVP),” as well as “W32.bluecode.Worm (NAV).”

This virus is also known for writing itself up onto your computer’s hard disk making its infected computer pulling request to infect another. It doesn’t automatically goes down to other machine. It also targets random IP address and downloads HTTPEXT.DLL file into an IIS folder with execute rights. From this, you may see a file named C:\SVCHOST.EXE. This creates a registry run key to load itself at startup. This virus hangs time set-ups. If it’s 10 am- 11 am, it will initiate a denial of service attack against a website in China. If this happens, there will be multiple threads and your computer will have unstable system and forces it to be inoperable.