Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Net-Worm
Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread. This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.Read more
Platform: Linux
Linux is a family of UNIX-influenced operating systems based on the Linux kernel and GNU tools.Description
Technical Details
Text written by Costin Raiu, Kaspersky, Romania
This is an Internet worm that replicates between systems that were previously hacked by the "Ramen" Linux worm, and not the "Lion" or "Adore" worms as it is stated in other various descriptions, or the worm itself. (see the text below) "Cheese" will also act as a "security patch" that removes the backdoors added by previous attacks, but it will not remove or patch the vulnerabilities used to hack the respective systems; thus, the machines will still remain vulnerable to the original attack(s) used to compromise them. The worm contains the following text:
> # removes rootshells running from /etc/inetd.conf
> # after a l10n infection... (to stop pesky haqz0rs
> # messing up your box even worse than it is already)
> # This code was not written with malicious intent.
> # Infact, it was written to try and do some good.
No matter how good the original intention of the author was, "Cheese" remains a piece of replicative "malware" that eats up resources such as CPU, memory, disk space or Internet bandwidth from infected systems; thus, remaining a "bad thing".
Technical details
The worm consists of three program files named "cheese", "go" and "psm". "go" is the worm's "entrypoint", that basically executes the main worm body, "cheese", in such a way that makes it immune to signals, which might attempt to halt it. "cheese", a 2Kylobytes-long Perl script, is the main part of the worm, the one responsible for the replication.
When run, it will first scan "/etc/inetd.conf" for services attempting to execute "/bin/sh", mostly root-shell backdoors, and remove them. Obviously, if a root shell has been added to the newer-style "/etc/xinetd.conf", the worm will not notice it, and leave it untouched.
Next, it will generate a random 16-bit IP base, such as "a" and "b" in the "a.b.x.y", then it will use an external Linux ELF program to scan the respective Internet IP class for hosts listening on port 10008. Usually, these are hosts that have been previously hacked by the "Ramen" worm, hosts that run an open root shell on the respective port.
So, when such a host is found, the worm will execute a small installation script on the remote host that will create a directory named "/tmp/.cheese", and it will launch an instance of the popular Lynx browser to download a copy of the worm from the infected system. The worm itself will listen for the connection attempt on the source system, and forward an UUE-encoded copy of itself to the remote caller. The installation script running on the target system will decode the worm body, unpack it in the "/tmp/.cheese" directory, and eventually execute the "go" script to launch the worm, which propagates the infection further.
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com