Re: ADM Worm. Worm for Linux x86 found in wild.

[mixter () HOME POPMAIL COM (Mixter)]

The "ADM w0rm" is public and can be found at:
http://adm.isp.at/ADM/ADMw0rm-v1.tar

The public version solely exploits the name server iquery bug,
although it is fairly easy to make it exploit ANY remote vulnerability.
(Put in BSD/Sun exploits and it wouldn't be too linux specific anymore. :&)

Ben Cantrick (Macky Stingray) wrote:

> How it picks the IP addresses to scan is not
> presently known to me. Presumably, the "gimmieip" binary takes care
> of that. Someone with more time can dissect it and post the results.

True, it will start with a random IP number, then scan sequentially
onwards, e.g. 1.1.1.1 1.1.1.2 etc. and re-start at 255.255.255.255.
The infection routine works like this (shell script):
./gimmeip | ./incremental | ./scanner | ./exploit

>   As far as disinfection, I have not had time to work up a disinfection
> procedure. It could be as simple as rebooting to single-user and deleting

Yes, its simple. Remove the "w0rm" user from /etc/passwd and kill its
processes. The security risk is then eliminated (Remember to patch your
vulnerable daemon(s), of course). Also, since this worm swallows LOTS of
bandwidth by its permanent scanning, watch for "w0rm" scans that might
occur on your nets. Then try to telnet to the scanning host as user "w0rm"
with no password. If you succeed, simply kill -9 -1 and notify the admin.

However, the worm seems to be worked on as a private version as well, and
those could do other things and hide themselves elsewhere, so
there is no guarantee that cleaning or identification by typical
strings/files is reliable.

Mixter

----------------------
members.xoom.com/i0wnu
----------------------