SANS Releases Info on "Adore Worm"
Source: SANS - Posted by Dave Wreski   
Intrusion Detection There is apparently a new worm to follow on the heels of the Rame and Lion worms. "Adore is a worm that we originally called the Red Worm. It is similar to the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to determine whether they are vulnerable to any of the following well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default on Red Hat 7.0 systems. From the reports so far, Adore appears to have started its spread on April 1.. . . There is apparently a new worm to follow on the heels of the Rame and Lion worms. "Adore is a worm that we originally called the Red Worm. It is similar to the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to determine whether they are vulnerable to any of the following well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default on Red Hat 7.0 systems. From the reports so far, Adore appears to have started its spread on April 1.

Adore worm replaces only one system binary (ps), with a trojaned version and moves the original to /usr/bin/adore. It installs the files in /usr/lib/lib . It then sends an email to the following addresses: adore9000@21cn.com, adore9000@sina.com, adore9001@21cn.com, adore9001@sina.com Attempts have been made to get these addresses taken offline, but no response so far from the provider."

Read this full article at SANS

Only registered users can write comments.
Please login or register.

Powered by AkoComment!