Worm Detected

Impact

There is evidence that the system has been penetrated by an Internet worm. Files or system information may have been transmitted to remote parties, unauthorized file modifications may have taken place, and backdoors allowing unauthorized access may be present. Furthermore, it is likely that the system is being used as a potential launching point for further propogation of the worm across the network.

Background

A worm is a self-replicating program designed to spread across a network without requiring any outside actions to take place. The main difference between a worm and a virus is that a virus relies on human actions, such as sending e-mail or sharing files, to copy itself from one computer to another, whereas a worm is able to do so independently, allowing it to spread much faster.

The Problems


Ramen worm

The Ramen worm spreads using Red Hat Linux 6.2 and 7.0 systems by exploiting well-known vulnerabilities in wu-ftpd, rpc.statd, and LPRng. When the Ramen worm installs itself on a new host, it takes the following actions:


Lion worm

The Lion worm spreads by scanning random Class B networks for well-known vulnerabilities in BIND domain name servers. When a vulnerable server is found, the worm exploits the vulnerability and does a number of things to the victim. The most serious things it does are the following:


Adore worm

The Adore worm, also known as the Red worm, is similar to the Ramen and Lion worms. It spreads itself by exploiting vulnerabilities in LPRng, rpc.statd, wu-ftpd, and BIND. After gaining access to a system, it performs the following actions:

There is also a variant of Adore which performs several other actions in addition to the above, such as adding two new system accounts and sending out e-mail to two more e-mail addresses.


lprw0rm

The lprw0rm spreads by scanning random Class B networks for vulnerable LPRng print servers. Upon gaining access to a vulnerable machine, the worm performs the following actions:

The web site which was being used to distribute the worm has since been shut down, thereby stopping the spread of this worm. However, even without the ability to download itself from the web site, the worm can still create the backdoor accounts and root shell on any new victim machines.


sadmind/IIS worm

The sadmind/IIS worm affects Solaris and Windows servers. It propogates by exploiting a buffer overflow condition in the Solaris sadmind service. After gaining access to a Solaris host, it performs the following actions:

Resolution

The paragraphs below explain how to remove a worm from an infected system. However, removal of the worm does not solve the problem at its roots. The presence of the worm is evidence that a critical vulnerability exists on the host. The system should be taken offline until it is certain that the vulnerable services are upgraded to the latest, patched versions.

To remove the Ramen worm, follow these steps:

  1. Delete /usr/src/.poop and /sbin/asp.
  2. If it exists, remove /etc/xinetd.d/asp
  3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any file in /etc/src/.poop.
  4. Remove any lines in /etc/inetd.conf referring to /sbin/asp.
  5. Reboot the system or manually kill any processes such as synscan, start.sh, scan.sh, hackl.sh, or hackw.sh.

No procedure for removing the Lion worm has been publicized at this time. It is recommended that infected machines be taken offline until either the system can be restored from a clean backup or a removal procedure is developed. Check SANS regularly for any further developments.

To remove the Adore worm, download and run the Adorefind utility. It can be run on an infected system to find files which are part of the worm and delete them.

There is no standard procedure for removing lprw0rm. If your system has been compromised by this worm, it would be advisable to restore files such as /etc/inetd.conf (or equivalent), /etc/passwd, /etc/shadow, /bin/ps, and /bin/login from backups, and to delete everything found in /dev/.kork.

There is no tool or procedure available to remove the sadmind/IIS worm. It is recommended that the system be taken offline until it can be restored from backups and until the vulnerabilities in sadmind and IIS have been patched. See Sun Security Bulletin #00191 for Solaris patch information and Microsoft Security Bulletin 00-078 for IIS patch information.

Where can I read more about this?

The Ramen worm was discussed in an X-Force advisory and in the Symantec AntiVirus Research Center.

More information about the Lion worm is available from the SANS Global Incident Analysis Center.

More information about the Adore worm is also available from SANS.

More information about lprw0rm was posted to the SecurityFocus Incidents mailing list.

More information about the sadmind/IIS patch is available in CERT Advisory 2001-11.

For general information about worms and how they differ from viruses, see the Symantec AntiVirus Research Center.