Virus Database

Worm.FreeBSD.Scalper.a

Description Worm.FreeBSD.Scalper.a

I-Worm.Scalper - also known as:
AKA "FreeBSD.Scalper.worm", "ELF/FreeApworm", "ELF_SCALPER.A"
Scalper is an Internet worm that infects FreeBSD servers by exploiting a vulnerability in the popular "Apache" web server software. It also acts as a backdoor in the infected systems, accepting a variety of "orders" to run commands on the local machine, flood a specified IP address, send mails etc.
The "Apache" versions vulnerable to the exploit used by the worm are 1.3.x up to 1.3.24, all 2.0.x versions up to 2.0.36 and all of the older 1.2.x versions. To fix the vulnerability, it is recommended to install the patched versions "1.3.26"/"2.0.39" or later.
At the time of writing of this description, the worm is believed not to be In-the-Wild.
Relevant links:
Apache Security Bulletin, June 20, 2002
http://httpd.apache.org/info/security_bulletin_20020620.txt
Apache Web Server Chunk Handling Vulnerability
http://www.cert.org/advisories/CA-2002-17.html
Technical details of the "Scalper" worm
The worm attacks randomly-generated IP address classes of the format a.b.x.x, where "a" is selected from an array of 162 possible choices, "b" is a full 1-byte long random choice, and "x.x" are scanned incrementally from "0.0" up to "255.255". For each random IP address, the worm checks if it doesn't loop back to the local machine (eg. addresses of the form 127.x.x.x), then it tries to connect on port 80 and send a simple "GET /" request to check if the server runs an Apache version. If the server reply includes the "Apache" string, the worm will attempt to exploit the Server Chunk Handling vulnerability by sending a set of two specially crafted buffers, which will only work for two very specific Apache versions, 1.3.20 and 1.3.22-24. If the exploit succeeds, the worms will send itself in UUENCODED form to a file in the "/tmp" directory, unpack it as "/tmp/.a", and run it. When run, the worm will again enter the replication cycle, looking for more hosts, and activating the backdoor component on the UDP port 2001. The backdoor accepts a rather large set of commands, between them, flooding remote systems with UDP, TCP, DNS or RAW packets, running local commands, downloading a binary from a remote machine via HTTP and running it, sending mails, providing information on the configuration of the hacked machine, etcall
All the communication with the backdoor is encrypted, however, the encryption is static and is probably performed only to prevent direct analysis of the traffic.

Check other viruses! Be aware! Use Antiviral Software

Lifeform.2101

Description Lifeform.2101

It is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are closed (i.e. the virus infects files that are copied, modified or scanned). On debugging or opening an infected file the virus disinfects it (stealth). On accessing infected files length the virus decreases it; when the F-PROT anti-virus or the ARJ, RAR, PKZIP, LHA, BACKUP utilities are run, the virus disables this stealth routine.
The virus also fools the AVPLITE and F-PROT anti-virus programs. When AVPLITE is run, the virus adds the "disable heuristic scanning" to the end of command line. When F-PROT reads data from files to scan them for viruses, the virus fills data buffer with garbage. The virus also deletes the anti-virus data files: ANTI-VIR.DAT, CHKLIST.MS, SMARTCHK.CPS, AVP.CRC, IVB.NTZ, CHKLIST.TAV. Under debugger the virus corrupts the CMOS checksum field and halts the computer. On May 23th the virus erases the data on the hard drive, corrupts the CMOS and displays the message:
-- [LifeForm] coded by ThE_WiZArD (1998) --
Cooler than a body on ice, Hotter than a rollin`dice
Wilder than a drunken fight all You`re gonna burn tonight

The virus also contains the text strings:
#ThE_WiZArD
Quo vadis Fridrik? ... and you Frans still working on this shit.

Light.1010

Description Light.1010

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed or are found by DOS FindFirst/Next DOS functions. The virus has bugs and in some cases corrupts files while infecting them or/and halts the system. The virus contains the text strings:
A long time ago,in very remute institut all
LIGHT in the DARK

Home