This alert has been issued due to increased media attention received by this threat.

The following has been derived from information provided by CERT, Trend Micro and McAfee.

Characteristics

This is a trojan which includes backdoor capabilities. It is contained in the hacker-modified file, /libsm/t-shm.c, of the Sendmail 8.12.6 package. Once a user builds the package and runs the sendmail program, this malware is extracted from the trojanized file.

Upon execution it decodes and drops a script named test. The script drops a backdoor file, conftest.c, compiles it naming the binary as the user shell (sh,csh,bash,tsh,zsh), grabbing this parameter directly from /etc/passwd, and runs it. Finally, the script cleans, in part, the trojanized t-shm.c and exits.

The backdoor forks and opens a connection with 66.37.138.99 port 6667 listening for commands on this socket. It allows the attacker to open a remote shell that runs in the context of the affected system.

More information on this malware is available from CERT at the following location:

http://www.cert.org/advisories/CA-2002-28.html


Payload

Installs and executes a remote access trojan, compromising the system's security.


Preventative Measures

Verify software authenticity using their MD5 Checksums and PGP signatures. The trojanized copy did not include an updated PGP signature, so attempts to verify its integrity would have failed.


Detection Available

Network Associates:
Minimum DAT: 4229
Minimum Engine: 4.1.60

Trend:
Pattern File: 366
Scan Engine: 5.200