Virus Database

Worm.Linux.Adm

Description Worm.Linux.Adm

This is the worm infecting Linux systems. The worm was discovered in spring 1998. It spreads itself from system to system by using a Linux security breach (so called "buffer overrun" breach) that allows to upload to remote system and run there a short piece of code that then downloads and activates the main worm component.
The worm uses a security breach in the program package BIND (Berkeley Internet Name Domain), which is distributed in many popular UNIX packages and provides name service for the internet.
The Worm Itself
This is multi-component worm that consist of 8 files. These files are script programs and executable files. The script programs are ".sh" files that are run by Linux command shell. The executable files are standard Linux ELF executables.
The main components of the worm are script ".sh" files that are run as hosts, and then run the rest files (additional ".sh" files and ELF executables) to perform necessary actions.
The list of components looks as follows:
ADMw0rm Hnamed
gimmeIP remotecmd
gimmeRAND scanco
incremental test

Spreading
The spreading (infecting a remote Linux machine) is done by "buffer overrun" attack. That attack is performed as a special packet that is sent to a machine being attacked. The packet has a block of specially prepared data. That block of packet's data is then executed as a code on that machine. That code opens a connection to infected machine, gets the rest of worm code and activates it. At that moment the machine is infected, and starts to spread worm further.
The worm is transferred from a machine to machine as a "tgz" archive (standard UNIX archive) with "ADMw0rm.tgz" name, with 8 worm components inside. While infecting a new machine the worm unpacks that package in there, and runs the main "ADMw0rm" file that then will activate other worm's components.
To get IP addresses of remote machines to attack them the worm scans the available global network for IP addresses with computers and DNS installed servers on it.
To attack remote system the worm uses security vulnerabilities in Linux demon: "named".
To upload and activate its copy on remote machine the worm "buffer overrun" code contains the instructions that switch to "root" privileges, runs command shell and follows the commands:
runs the deamon "/usr/sbin/named"
creates the directory to download the worm "tgz" file, the directory name is "/tmp/.w0rm0r"
runs "ftp" (standart Linux program) that downloads worm "tgz" file from host machine (machine the worm is spreading from)
unpacks all worm components from "tgz" archive
runs the worm startup component: the "ADMw0rm" file
Misc.
The worm has several payload and other non-infection routines.
First of all it finds on local machine starting from root directory all "index.html" files (Web servers start pages) and replaces them with its own "index.html" file that contains the text:
The ADM Inet w0rm is here !
The worm deletes the "/etc/hosts.deny" file. That file contains the list of hosts (addresses and/or Inet names) that are denied to access this system (in case so-called TCP wrapper is used). As a result any of restricted machines can access affected system.
When a new system is infected, the worm sends "notification" messages to the e-mail address "admsmb@hotmail.com".

Check other viruses! Be aware! Use Antiviral Software

Linux.Rike.1627

Description Linux.Rike.1627
Rike is a non-dangerous nonmemory resident parasitic virus. It searches for Linux executable files in the current directory, then writes itself to the middle of the file. It's size is 1627 bytes and is written in the Assembler programming language.
The Rike virus uses low level Linux functions when working with files: SYS CALLS INT 80h. While infecting a file the virus scans sections with the attribute SHT_PROGBITS. Rike increases the size of the last section and writes itself to the free space. Next, the virus inserts a Jump command to the Entry Point address.
The virus writes its label to the ELF header. The label is the string "RIKE".

Linux.RST

Description Linux.RST

This text was written by Costin Raiu, Kaspersky Labs, Romania
This is a Linux virus that also implements several backdoor facilities, allowing an attacker to take control of the system infected with it in case the virus has been executed on account with root priviledges. The virus infects all the Linux binary executables in the current directory and the /bin directory, and listens to the first network card 'eth0' as well on the first PPP connection interface, and 'ppp0' for special packets sent in the EGP communication protocol. Whenever such a special package arrives, the virus allows the attacker to take control of the system with a root shell.
The virus will also attempt to create two new devices in the /dev directory, named "/dev/hdx1" and "/dev/hdx2", and tries to access a Web page on the ns1.xoasis.com web server.
Technical details:
The viral part works by attaching itself to normal ELF executables, patching their header, and moving the entrypoint to the viral code. At the same time, the virus relocates all the data found after the original host code to the end of its own code. It is interesting to note that the virus also performs an anti-debugging check by seeing whether the current process is 'ptrace'-ed. If so, it will immediately terminate execution. If not, the virus looks for all the files in the current directory, and attempts to infect them. After this, it will also attempt to infect all the files in the '/bin' directory, which under normal conditions will only work if the infected program has been run under an account with higher privileges. There is no attempt in the viral code to exploit any Linux vulnerabilities in order to obtain higher access when the virus is run on a normal user account.
The backdoor part of the virus attempts to create two new devices named "/dev/hdx1" and "/dev/hdx2", and if the creation succeeds, it checks for the existence of the two standard network interfaces 'eth0' or 'ppp0', and attempts to set them into "promiscuous" mode. It also attempts to create an "Exterior Gateway Protocols" (EGP) raw socket, and put it into listening mode.
When a special EGP IP packet arrives, the virus will check whether the 23rd byte in the data-packet is 0x11, then it will check for the presence of a specific password, as a 3-byte string at the offset 0x2a in the buffer. If these two conditions are met, the backdoor will check for a "command" byte, which is either 1 or 2 - if the "command" byte is "1", it will spawn a standard "/bin/sh" shell, which the attacker can control on the remote system.
Two strings can be seen inside the virus, but they are not used anywhere in the code. These strings are "snortdos" and "tory".

Home