|  | ||||||||||||||||||||||||||||||||
Name: Linux.Adore.Worm
Aliases: Linux.Red.Worm,Unix/Adore,Red worm,Linux/Adore,Adore.Worm Variants: Type: Worm, Backdoor Platforms: Various Linux systems with vulnerable wuftpd, bind, lprng, or statd Status: in the wild Threat: low (V-CON 1) This worm has recently been gaining media attention, but is currently considered to be a low threat. The following has been derived from information provided by F-Secure, Symantec, and Sophos. Virus Characteristics Linux.Adore.Worm is a worm which spreads on Linux systems. The worm takes advantage of the same vulnerabilities that were exploited by Linux.Ramen and Linux.Lion worms. These vulnerabilities affect the following services: BIND named wu-ftpd rpc.statd lpd The worm exploits these vulnerabilities to gain root access to the target system. It transfers itself to the system and executes itself. Upon execution, the worm searches for and infects new systems which have the same vulnerabilities. The worm attempts to download a tar file from go.l163.com. This site appears to have been closed, preventing much of the worm's functionality from being used. If the file is successfully downloaded, the worm will extract the contained files and execute a script which will do the following: - replaces bin/ps with a Trojanized version - adds a script named "0anacronis" to the daily cron job which allows the worm to remove itself from the system and restore the original "/bin/ps". All of the worm's processes are killed except the installed backdoor. If /sbin/shutdown exists, the system will be restarted. - adds the users ftp and anonymous to /etc/ftpusers, blocking the wuftpd hole - kills the rpc.statd, rpc.rstatd, and lpd processes, to prevent their vulnerabilities from being exploited - replaces klogd (kernel message logger) with a backdoor program that allows root shell access. - sends the IP address, the process list, the history, hosts file, and shadow password file to two of four possible email addresses located in China. - executes the routines to search for new vulnerable systems to compromise. Payload Files modified: ps, klogd Distributes confidential information: System information is emailed to anonymous addresses Backdoor: Allows root shell access Preventative Measures All four vulnerabilities have already been addressed in patches released by various Linux vendors. Additional information can be found: Debian GNU/Linux: http://www.debian.org/security/ Linux Mandrake: http://www.linux-mandrake.com/en/security/ SuSE: http://www.suse.com/en/support/security/index.html RedHat Linux: http://www.redhat.com/support/errata/ LPRng: http://www.cert.org/advisories/CA-2000-22.html wu-ftpd 2.6: http://www.cert.org/advisories/CA-2000-13.html Bind: http://www.cert.org/advisories/CA-2001-02.html rpc.statd: http://www.cert.org/advisories/CA-2000-17.html Fixes Available AVP: No information available at time of alert F-Secure: Detected with current updates (April 3, 2001) Network Associates: No information available at time of alert Sophos: Linux/Adore IDE file (April 5, 2001) Symantec: Detection not yet available Trend: No information available at time of alert < - Virus Information Index - >
| | |||||||||||||||||||||||||
