SANS.org: New Linux Worm Adore
Apr 04, 2001, 18:04 (23 Talkback[s])
(Other stories by Matt Fearnow)
Date: Wed, 04 Apr 2001 01:00:20 -0500
From: Matt Fearnow <email@example.com>
Subject: New Linux worm Adore
Yesterday, the SANS Institute (through its Global Incident Analysis
Center) uncovered a new worm variant (Adore) of 2 existing Linux worms
(Ramen and Lion).
Adore is a worm that we originally called the Red Worm. It is similar to
the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to
determine whether they are vulnerable to any of the following well-known
exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default
on Red Hat 7.0 systems. From the reports so far, Adore appears to have
started its spread on April 1.
Adore worm replaces only one system binary (ps), with a trojaned version
and moves the original to /usr/bin/adore. It installs the files in
/usr/lib/lib . It then sends an email to the following addresses:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org,
Attempts have been made to get these addresses taken offline, but no
response so far from the provider. It attempts to send the following
ps -aux (using the original binary in /usr/bin/adore)
Adore then runs a package called icmp. With the options provided with the
tarball, it by default sets the port to listen too, and the packet length
to watch for. When it sees this information it then sets a rootshell to
allow connections. It also sets up a cronjob in cron daily (which runs at
04:02 am local time) to run and remove all traces of its existence and then
reboots your system. However, it does not remove the backdoor.
We have developed a utility called adorefind that will detect the adore
files on an infected system.
As adorefind runs, it will give you the option to stop the running worm
jobs and remove the files from the filesystem.
Further information can be found at:
This security advisory was prepared by <:email@example.com> Matt
Fearnow of the SANS Institute and William Stearns of the Dartmouth
Institute for Security Technology Studies.
The Adorefind utility was written by William Stearns.
SANS GIAC Incident Handler
- The Register: Highly destructive Linux worm mutating
(Mar 28, 2001)
- Worm Targeting Linux Could Cause Serious Damage(Mar 24, 2001)
- Business Week: Linux' [Ramen] Bug Problem: Getting the Fixes Out(Jan 24, 2001)
- Security Portal: Top Ramen - Noodles for Script Kiddies(Jan 23, 2001)
- LinuxSecurity.com: Ramen Linux Worm Propagation(Jan 22, 2001)
- LinuxProgramming.com: Editor's Comment: The Ramen Worm: Opportunity Knocks(Jan 22, 2001)
- LinuxPlanet: Ramen and the Danger of Default Linux Configurations(Jan 19, 2001)
- BBC News: Linux virus infection fears; Ramen hits Red Hat(Jan 19, 2001)
- F-Secure Virus Descriptions: Ramen - Alias: Linux.Ramen, LINUX/Ramen - Linux Worm(Jan 19, 2001)