Linux/Devnull-A is a worm which spreads by exploiting the OpenSSL vulnerability in Apache mod_SSL module similarly to Linux/Slapper-A.
The worm consists of four files. Three of these - shell.sh, sslx.c and devnull - are used to spread; the fourth, k, is a Linux backdoor Trojan with distributed denial-of-service capabilities. This Trojan is detected by Sophos Anti-Virus as Troj/Kaiten-E.
The worm starts to spread when devnull runs and generates a random IP address. Once a valid address is generated, devnull calls the compiled sslx which runs the exploit code. The exploit, running on a remote machine, connects to a website and downloads the shell script shell.sh.
The script shell.sh attempts to download, unpack and run two other files: k.gz and devnull.tar.gz.