SANS.org: New Linux Worm Adore | Linux Today

SANS.org: New Linux Worm Adore

Written By
Web Webster
Web Webster
Apr 4, 2001
Date: Wed, 04 Apr 2001 01:00:20 -0500
From: Matt Fearnow <matt@sans.org>
Subject: New Linux worm Adore

SUMMARY
Yesterday, the SANS Institute (through its Global Incident Analysis
Center) uncovered a new worm variant (Adore) of 2 existing Linux worms
(Ramen and Lion).

DETAILS
Adore is a worm that we originally called the Red Worm. It is similar to
the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to
determine whether they are vulnerable to any of the following well-known
exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default
on Red Hat 7.0 systems. From the reports so far, Adore appears to have
started its spread on April 1.

Adore worm replaces only one system binary (ps), with a trojaned version
and moves the original to /usr/bin/adore. It installs the files in
/usr/lib/lib . It then sends an email to the following addresses:
adore9000@21cn.com, adore9000@sina.com, adore9001@21cn.com,
adore9001@sina.com
Attempts have been made to get these addresses taken offline, but no
response so far from the provider. It attempts to send the following
information:
/etc/ftpusers
ifconfig
ps -aux (using the original binary in /usr/bin/adore)
/root/.bash_history
/etc/hosts
/etc/shadow

Adore then runs a package called icmp. With the options provided with the
tarball, it by default sets the port to listen too, and the packet length
to watch for. When it sees this information it then sets a rootshell to
allow connections. It also sets up a cronjob in cron daily (which runs at
04:02 am local time) to run and remove all traces of its existence and then
reboots your system. However, it does not remove the backdoor.

Detection
We have developed a utility called adorefind that will detect the adore
files on an infected system.
adorefind http://www.sans.org/y2k/adorefind-0.2.0.tar.gz

Removal
As adorefind runs, it will give you the option to stop the running worm
jobs and remove the files from the filesystem.

Further information can be found at:
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.htm or
http://www.sans.org/y2k/adore.htm
http://www.sans.org/current.htm
http://www.sans.org/y2k/ramen.htm
http://www.sans.org/y2k/DDoS.htm

This security advisory was prepared by <:matt@sans.org> Matt
Fearnow of the SANS Institute and William Stearns of the Dartmouth
Institute for Security Technology Studies.
The Adorefind utility was written by William Stearns.



Matt Fearnow
SANS GIAC Incident Handler
matt@sans.org

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.