Class Net-Worm
Platform Linux

Technical Details

This is the worm infecting Linux systems. The worm was discovered in spring

1998. It spreads itself from system to system by using a Linux security

breach (so called “buffer overrun” breach) that allows to upload to remote

system and run there a short piece of code that then downloads and

activates the main worm component.

The worm uses a security breach in the program package BIND (Berkeley

Internet Name Domain), which is distributed in many popular UNIX packages

and provides name service for the internet.

The Worm Itself

This is multi-component worm that consist of 8 files. These files are

script programs and executable files. The script programs are “.sh” files

that are run by Linux command shell. The executable files are standard

Linux ELF executables.

The main components of the worm are script “.sh” files that are run as

hosts, and then run the rest files (additional “.sh” files and ELF

executables) to perform necessary actions.

The list of components looks as follows:

 ADMw0rm            Hnamed

 gimmeIP            remotecmd

 gimmeRAND          scanco

 incremental        test


The spreading (infecting a remote Linux machine) is done by “buffer

overrun” attack. That attack is performed as a special packet that is sent

to a machine being attacked. The packet has a block of specially prepared

data. That block of packet’s data is then executed as a code on that

machine. That code opens a connection to infected machine, gets the rest of

worm code and activates it. At that moment the machine is infected, and

starts to spread worm further.

The worm is transferred from a machine to machine as a “tgz” archive

(standard UNIX archive) with “ADMw0rm.tgz” name, with 8 worm components

inside. While infecting a new machine the worm unpacks that package in

there, and runs the main “ADMw0rm” file that then will activate other

worm’s components.


To get IP addresses of remote machines to attack them the worm scans the

available global network for IP addresses with computers and DNS installed

servers on it.

To attack remote system the worm uses security vulnerabilities in Linux

demon: “named”.

To upload and activate its copy on remote machine the worm “buffer overrun”

code contains the instructions that switch to “root” privileges, runs

command shell and follows the commands:

  • runs the deamon “/usr/sbin/named”
  • creates the directory to download the worm “tgz” file, the directory

    name is “/tmp/.w0rm0r”

  • runs “ftp” (standart Linux program) that downloads worm “tgz” file from

    host machine (machine the worm is spreading from)

  • unpacks all worm components from “tgz” archive
  • runs the worm startup component: the “ADMw0rm” file


The worm has several payload and other non-infection routines.

First of all it finds on local machine starting from root directory all

“index.html” files (Web servers start pages) and replaces them with its own

“index.html” file that contains the text:

The ADM Inet w0rm is here !

The worm deletes the “/etc/hosts.deny” file. That file contains the list of

hosts (addresses and/or Inet names) that are denied to access this system

(in case so-called TCP wrapper is used). As a result any of restricted

machines can access affected system.

When a new system is infected, the worm sends “notification” messages to

the e-mail address “”.