Text written by Costin Raiu, Kaspersky, Romania
This is an Internet worm that replicates between systems that were previously hacked by the “Ramen” Linux worm, and not the “Lion” or “Adore” worms as it is stated in other various descriptions, or the worm itself.
(see the text below) “Cheese” will also act as a “security patch” that removes the backdoors added by previous attacks, but it will not remove or patch the vulnerabilities used to hack the respective systems; thus, the machines will still remain vulnerable to the original attack(s) used to compromise them. The worm contains the following text:
> # removes rootshells running from /etc/inetd.conf
> # after a l10n infection… (to stop pesky haqz0rs
> # messing up your box even worse than it is already)
> # This code was not written with malicious intent.
> # Infact, it was written to try and do some good.
No matter how good the original intention of the author was, “Cheese” remains a piece of replicative “malware” that eats up resources such as CPU, memory, disk space or Internet bandwidth from infected systems; thus,
remaining a “bad thing”.
The worm consists of three program files named “cheese”, “go” and “psm”. “go” is the worm’s “entrypoint”, that basically executes the main worm body, “cheese”, in such a way that makes it immune to signals, which might attempt to halt it. “cheese”, a 2Kylobytes-long Perl script, is the main part of the
worm, the one responsible for the replication.
When run, it will first scan “/etc/inetd.conf” for services attempting to execute “/bin/sh”, mostly
root-shell backdoors, and remove them. Obviously, if a root shell has been added to the newer-style “/etc/xinetd.conf”, the worm will not
notice it, and leave it untouched.
Next, it will generate a random 16-bit
IP base, such as “a” and “b” in the “a.b.x.y”, then it will use an external Linux ELF program to scan the respective Internet IP class for hosts listening on port 10008. Usually, these are hosts that have been previously
hacked by the “Ramen” worm, hosts that run an open root shell on the
So, when such a host is found, the worm will execute a
small installation script on the remote host that will create a directory named “/tmp/.cheese”, and it will launch an instance of the popular Lynx browser to download a copy of the worm from the infected system. The worm itself will listen for the connection attempt on the source system, and
forward an UUE-encoded copy of itself to the remote caller. The installation script running on the target system will decode the worm body, unpack it in the “/tmp/.cheese” directory, and eventually execute the “go” script to
launch the worm, which propagates the infection further.