Threat Description

Adore

Details

Aliases: Adolff, Adore, Unix/Adore, Red worm, Linux/Adore
Category: Malware
Type: Worm
Platform: Linux

Summary



Adore is a worm, that spreads in Linux systems using four diffrent, known vulnerabilities already used by Ramen and Lion worms. These vulnerabilities concern BIND named, wu-ftpd, rpc.statd and lpd services.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



When Adore is running, it scans for vulnerable hosts from random Class B subnets on the network. If vulnerable host is found, attempts to download the main worm part from a web server located in China, in a similar way that Lion worm does.

After the worm has been downloaded to the victim machine, it is stored in to "/usr/local/bin/lib/" directory and "start.sh" is executed launching the worm.

At the start, "start.sh" replaces "/bin/ps" with trojanized version that does not show processes that are part of the worm. The original "/bin/ps" command is copied "/usr/bin/anacron".

The script also replaces "/sbin/klogd" with a version that has a backdoor. The backdoor activates when it receives a ping packet with correct size, and opens a shell in the port 65535. Orginal "klogd" will be saved to "/usr/lib/klogd.o".

The worm sends sensitive system data, including contents of the "/etc/shadow" file to four different email addresses.

Adore also creates a script file "/etc/cron.daily/0anacron". This file will be executed by the cron daemon with the next daily run. At this time, the worm will remove itself from the system and restore the original "/bin/ps". All worm related processes except the backdoor will be shut down, and the system will be restarted if "/sbin/shutdown" exists. The backdoor will start after the system has been restarted as the "/sbin/klogd" still contains the backdoor.

All four vulnerabilities have been already fixed by different Linux vendors. Further information is available at:

Debian GNU/Linux: http://www.debian.org/security/

Linux Mandrake: http://www.linux-mandrake.com/en/security/

SuSE: http://www.suse.com/en/support/security/index.html

RedHat Linux: http://www.redhat.com/support/errata/

F-Secure Anti-Virus detects the Adore worm with the current updates.





Description Created: Analysis: Sami Rautiainen, F-Secure; April 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More