The following has been derived from information provided by Computer Associates, NAI, and Sophos.

Virus Characteristics

Slapper.B is a variant of Linux/Slapper.A which we published on September 15, 2002.

Slapper.B also contains a shell script named /tmp/.cinik.go which searches /usr /bin /find /usr /var /tmp /home /mnt on the affected system to overwrite with the worm binary. This script also sends local computer and network information via e-mail to cinik_worm@yahoo.com or aion@ukr.net. Each time a file is infected, an entry in the crontab is added to ensure the virus executes after a reboot or kill.

As a self protection measure, if the source file, /tmp/cinik.c, is deleted from the system, the worm attempts to download a replacement copy. This file is also named cinik.c.

Exploited systems run a backdoor server on UDP port 1978 or 4156.

The worm scans all files in all directories for valid e-mail addresses. All addresses are sent back as one list to the IP address included in the initial request sent by the remote user.

Affected systems include:

Gentoo unknown
Debian 1.3.26
Red-Hat 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.26, 1.3.23, 1.3.22
SuSE 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23
Mandrake 1.3.14, 1.3.19, 1.3.20, 1.3.23
Slackware 1.3.26


Payload

Overwrites Files.
Installs backdoor server.


Preventative Measures

If you are using one of the affected versions, contact your software manufacturer for an updated version.


Fixes Available

Network Associates:
Minimum DAT: 4225
Release Date: 09/25/2002
Minimum Engine: 4.1.60

Symantec: No information at time of alert.

Trend: No information at time of alert.