Unix/SadMind

Category: Viruses and Spyware Protection available since:10 May 2001 00:00:00 (GMT)
Type: Unix worm Last Updated:06 Mar 2011 17:16:02 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Unix/SadMind is an internet worm which propagates using a buffer overrun exploit on Solaris systems in the sadmind program, part of the Solstice AdminSuite.

When the worm attacks a system it will append the text "+ +" to the .rhosts file belonging to root. It will then copy the worm (using rcp) to the new machine and extract into a new /dev/cuc directory. /etc/rc.d/S71rpc will be changed so the worm is started when the system is started and then that file will be run to make the worm active immediately.

When the worm is active it will scan random class B networks looking for vulnerable machines to infect next. In parallel it will scan for Microsoft IIS web servers and will attempt to deface the front page with a message in red text on a black background stating 'fuck USA Government, fuck PoizonBOx'.

fuck USA Government, fuck PoizonBOx

After the worm has infected 2000 other computers all index.html files on the infected machine will be changed to display the offensive message.

Patches from Microsoft and Sun Microsystems are available to patch the vulnerabilities.