This is an Internet worm that targets Web sites by infecting Internet
Information Servers (ISS). The worm perpetrates this method of spreading from one Web site to another by sending and executing its EXE file.
The name of the worm’s files are consistant – SVCHOST.EXE and HTTPEXT.DLL. The EXE
file is a Win32 application (PE EXE file) about 29K in length, and it is written in
Microsoft C++. There also was a compressed variant discovered, which is about 14K in size. The DLL file is about 47K in size, and it is written in Microsoft C++.
Note that the worm uses standard Win32 EXE file names. SVCHOST.EXE and
HTTPEXT.DLL can be found in standard Win2000 installations in the SYSTEM32
The worm infects only machines installed with the IIS package and Web site
contents. The worm application, upon being run on a such machine, locates and
infects remote Web sites (remote machines with installed IIS package): it
enters them and, by using a Web Directory Traversal exploit, sends its copy there, and spawns that copy. As a result, the worm infects all
vlunerable Web servers that can be accessed from current a infected machine, and
other infected servers spread the worm copy further, and so on.
The worm has a payload routine that, from 10:00 am till 11:00 am global time,
performs a DoS attack (Deny of Service) on the http://www.nsfocus.com Web server.
The worm creates its copies (EXE and DLL) in the root of C: drive –
C:SVCHOST.EXE and C:HTTPEXT.DLL. This EXE file is then registered in the Registry auto-run key:
Domain Manager = C:svchost.exe
The worm then creates and swapns a C:D.VBS script file, then looks for the INETINFO.EXE application and terminates it if it is active. The VBS script
program also searches for Indexing Service, Indexing Query and printer mapping and
As a result, the worm disables security breaches that can be used (or
were used) by other worms to infect the machine and/or hackers to break
through the Web-security protections.
To spread further, the worm runs 100 threads that scan randomly selected IP
addresses and attacks them.
In 50% of the cases, the attacked machines are in the same network, and the attacked
IP addresses are “aa.bb.??.??”, where “aa.bb” is part of the infected machine IP
address, and “??” are random.
In the other 50% of the cases, the attacked addresses are very random.
To attack a victim machine, the worm uses the Web Directory Traversal exploit three times:
- it tries to determine the IIS directory on a remote machine,
- then sends a request to the remote machine to download the DLL component of the
virus (HTTPEXT.DLL file) from the infected one,
- the last request is to copy that DLL file to the C: root directory.
To upload a DLL file to a victim machine, the worm uses a “tftp” command, and
activates the temporary TFTP server on an infected (current) machine to process a “get
data” command from the victim (remote) machine.
When a DLL file is uploaded to the victim machine, it is activated by a trick. So,
the worm copy starts on a remote server, then it drops and executes the EXE
component that then spreads the virus futhrer.