Antivirus firms are releasing more information on the so-called Code Blue virus which vnunet.com reported on Friday. Apparently the code attacks by exploiting the well-known 'Folder Traversal' vulnerability in IIS, first discovered in October 2000.

Once the worm gains access to a vulnerable system it downloads extra files from an already infected machine and creates them in the root directory of the C: drive. These include maliciously modified versions of genuine filenames included with Windows NT/2000, SVCHOST.EXE, HTTPEXT.DLL and D.VBS.

According to antivirus firm Kaspersky, SVCHOST.exe ensures that the virus is active every time the computer is booted up, while D.vbs actually checks for and removes active copies of the Code Red worm. It also future proofs the system against Code Red attacks by terminating the INETINFO.exe application which Code Red makes use of.

Code Blue will then create 100 threads which scan random IP addresses for more vulnerable machines to attack. This activity has led to speculation that the increased demand on system resources may well cause servers to slow down or crash.

In addition, Code Blue is also set up to perform a denial of service attack on an IP address belonging to Chinese security firm, Network Security Focus - a trait shared by the Code Red worm, which was programmed to attack the White House website.

Microsoft's patch to protect a web server against the Folder Traversal vulnerability is available here.