Threat Description

Kork

Details

Aliases: Kork, Linux/Kork, Unix/Kork, Worm.Linux.Kork
Category: Malware
Type: Worm
Platform: Linux

Summary


Kork is a worm that uses the known vulnerability in lpd service to propagate from a vulnerable Linux system to another. This service is part of the default installation of Red Hat Linux 7.0.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details



Variant:Kork.A

If the worm finds a vulnerable host, it first creates two users, "kork" and "kork2", to the system without a password. "kork2" user has a root priviledge.

Kork also adds an open shell to port 666.

Next it attempts to download a trojanized login and the main part of the trojan from a web site. Since April 26th, 2001, neither of these files are available, so the worm cannot replicate any further. However, already infected machines are able to compromise other vulnerable machines by adding an open shell and users to the system.

If the download is completed, the worm installs trojanized "/bin/login" and "/bin/ps" to the system. It attemps to send sensitive system data propably to the virus writer.

Original "/bin/ps" is copied to "/usr/bin/.ps" and the original "/bin/login" is copied to "/bin/.login".

Finally the worm starts to scan random Class-B subnets for vulnerable hosts.

The vulnerability in the lpd daemon is known and already fixed within updated provided by Red Hat at: https://www.redhat.com/support/errata/rh7-errata-security.html





Technical Details:Sami Rautiainen, F-Secure; April 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More