high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing infected executable files.
More Information
Linux/Adore is an internet worm for Linux operating system. The worm is very similar to Linux/Ramen and Linux/Lion worms. It uses four known vulnerabilities in wu-ftpd, bind, lpd and RPC.statd, which allow the attacker to gain root access and run malicious code.
When the worm runs, it attempts to send confidential information such as IP configuration and information about running processes together with the files /etc/hosts and /etc/shadow to four email addresses which appear to be based in China.
The worm also copies a script "0anacron" into the /etc/cron.daily directory so that it runs when the daily cron jobs are scheduled (by default at 4:02 a.m.). This script removes the worm from the infected host.
The worm spreads by scanning for randomly generated class B IP addresses and probing them for machine vulnerabilities. If a vulnerability is found, the worm exploits it so that the attacked host runs code (with superuser privileges) to download the worm archive file, unpack it, install it into the directory /usr/lib/lib and run it.
The Linux system program /bin/ps is replaced with a trojanised version, which will prevent all worm processes to be displayed in the list of the running processes when the ps command is run.
The worm also runs a program called icmp, which listens and sets the rootshell to accept connection on port 65535, acting as a backdoor, if the received packet length is equal to the one specified in the sourcefile.
Sophos recommends Linux users apply security patches to their systems to avoid this and other Linux worms exploiting vulnerabilities.
|
