high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
The worm will create two directories, /dev/cuc and /dev/cub. /dev/cuc contains the worm files and /dev/cub contains infection logs. Both these directories and their contents should be deleted.
The worm prepends the line '/bin/nohup dev/cuc/start.sh >/dev/null 2>&1 &' to /etc/rc2.d/S71rpc. This line should be removed.
A line '+ +' will have been appended to the .rhosts file in root's home directory. This line should be removed.
There will be a file /tmp/.f containing the text 'pcserver stream tcp nowait root /bin/sh sh -i'. A copy of inetd will be running using this file as the
configuration file. This means there is an open root shell on tcp port 600. This file should be deleted and the inetd process killed.
After 2000 infections the worm will replace all files named index.html with a new html page which displays the text 'fuck USA Government fuck PoizonBOx'.
These files will need to be replaced from backup.
There will be several worm processes running on the system. These can be killed manually or the machine can be restarted. Most of the processes are easy to spot because they are scripts which exist in the /dev/cuc directory. Examples are /dev/cuc/sadmin.sh, /dev/cuc/uniattack.sh and /dev/cuc/time.sh.
The worm may also install perl on the system. This can be removed with the package managment tools.
To avoid reinfection the system should be patched. There is a patch available to prevent the sadmind exploit at http://sunsolve.sun.com.
Patches for the IIS vulnerability can be obtained from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp.
More Information
Unix/SadMind is an internet worm which propagates using a buffer overrun exploit on Solaris systems in the sadmind program, part of the Solstice AdminSuite.
When the worm attacks a system it will append the text "+ +" to the .rhosts file belonging to root. It will then copy the worm (using rcp) to the new machine and extract into a new /dev/cuc directory. /etc/rc.d/S71rpc will be changed so the worm is started when the system is started and then that file will be run to make the worm active immediately.
When the worm is active it will scan random class B networks looking for vulnerable machines to infect next. In parallel it will scan for Microsoft IIS web servers and will attempt to deface the front page with a message in red text on a black background stating 'fuck USA Government, fuck PoizonBOx'.
After the worm has infected 2000 other computers all index.html files on the infected machine will be changed to display the offensive message.
Patches from Microsoft and Sun Microsystems are available to patch the vulnerabilities.
|
