Kork is a worm that uses the known vulnerability in lpd service to
propagate from a vulnerable Linux system to another. This service is
part of the default installation of Red Hat Linux 7.0.
If the worm finds a vulnerable host, it first creates two users,
"kork" and "kork2", to the system without a password. "kork2" user has
a root priviledge.
Kork also adds an open shell to port 666.
Next it attempts to download a trojanized login and the main part of
the trojan from a web site. Since April 26th, 2001, neither
of these files are available, so the worm cannot replicate any
further. However, already infected machines are able to compromise
other vulnerable machines by adding an open shell and users to the
system.
If the download is completed, the worm installs trojanized
"/bin/login" and "/bin/ps" to the system. It attemps to send sensitive
system data propably to the virus writer.
Original "/bin/ps" is copied to "/usr/bin/.ps" and the original
"/bin/login" is copied to "/bin/.login".
Finally the worm starts to scan random Class-B subnets for vulnerable
hosts.
