what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

adore.worm.txt

adore.worm.txt
Posted Apr 8, 2001
Authored by Matt Fearnow | Site sans.org

Information on the Adore worm, a worm that we originally called the Red Worm which is similar to the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to determine whether they are vulnerable to any of the following well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default on Red Hat 7.0 systems. From the reports so far, Adore appears to have started its spread on April 1.

tags | worm
systems | linux, redhat
SHA-256 | 913e0cd774c4018d5d8459dc3b3eb751dbc0b2e0021f6d4ffa91e5f9bb6b4703

adore.worm.txt

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUMMARY
Yesterday, the SANS Institute (through its Global Incident Analysis
Center) uncovered a new worm variant (Adore) of 2 existing Linux worms
(Ramen and Lion).

DETAILS
Adore is a worm that we originally called the Red Worm. It is similar to
the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to
determine whether they are vulnerable to any of the following well-known
exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default
on Red Hat 7.0 systems. From the reports so far, Adore appears to have
started its spread on April 1.

Adore worm replaces only one system binary (ps), with a trojaned version
and moves the original to /usr/bin/adore. It installs the files in
/usr/lib/lib . It then sends an email to the following addresses:
adore9000@21cn.com, adore9000@sina.com, adore9001@21cn.com,
adore9001@sina.com
Attempts have been made to get these addresses taken offline, but no
response so far from the provider. It attempts to send the following
information:
/etc/ftpusers
ifconfig
ps -aux (using the original binary in /usr/bin/adore)
/root/.bash_history
/etc/hosts
/etc/shadow

Adore then runs a package called icmp. With the options provided with the
tarball, it by default sets the port to listen too, and the packet length
to watch for. When it sees this information it then sets a rootshell to
allow connections. It also sets up a cronjob in cron daily (which runs at
04:02 am local time) to run and remove all traces of its existence and then
reboots your system. However, it does not remove the backdoor.

Detection
We have developed a utility called adorefind that will detect the adore
files on an infected system.
adorefind https://www.sans.org/y2k/adorefind-0.2.0.tar.gz

Removal
As adorefind runs, it will give you the option to stop the running worm
jobs and remove the files from the filesystem.

Further information can be found at:
https://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.htm or
https://www.sans.org/y2k/adore.htm
https://www.sans.org/current.htm
https://www.sans.org/y2k/ramen.htm
https://www.sans.org/y2k/DDoS.htm

This security advisory was prepared by <mailto:matt@sans.org> Matt
Fearnow of the SANS Institute and William Stearns of the Dartmouth
Institute for Security Technology Studies.
The Adorefind utility was written by William Stearns.



Matt Fearnow
SANS GIAC Incident Handler
matt@sans.org

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBOsq4c7cd+Xm4uHVxEQKhogCeI9XPtet+c6JqQ2imwdRvnMneM7EAn1Is
NmUWaeaIuWjYh5zoya/M6Bwq
=1JEk
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close