88
Kaspersky Anti-Virus
®
for Sendmail with Milter API
Activity algorithm
: using the buffer overrun problem, the worm sends a short
portion of its code to a remote computer. When the main worm compo-
nent (
start.sh
file) starts, it opens a connection that successively
downloads other components; they determine the addresses of the sys-
tems being attacked, then using buffer overrun breach send a worm
loader there, which in its turn completes loading and starts the main
portion of the worm code. The main page of a server is replaced with an
HTML file containing the following text: "RameN Crew – Hackers
looooooooooooove noodles". Finally, the worm sends an e-mail mes-
sage to two addresses, restarts the system and begins scanning the
Internet again.
The worm also adds a command for starting its main file to the
/etc/rc.d/rc.sysinit
system initialization file. As a result, the worm is
started during all subsequent starts of an infected system.
Worm.Linux.Lion
is an Internet worm that attacks Linux servers. It uses a secu-
rity breach in the BIND DNS service to penetrate computer systems.
Activity algorithm
: the worm scans the Internet, searching for systems with
root access vulnerability. When it discovers such a system, the worm in-
fects it, collects information on it (IP address, logins, passwords) in the
mail.log
file and then sends it to
e-mail address.
In addition, the worm attempts to contact the www.51.net site (51.net
domain is registered in China) via the Internet and download the file
crew.tgz
from it. The archive is then uncompressed on the infected
computer with subsequent installation of routines making the infected
system scan in turn the global network resources in search of new vic-
tims.
mIRC.Acoragil
and
mIRC.Simpsalapim
are the first known mIRC worms. Their
names originate from the code words used by the worms: if the text sent to a
channel by any user contains the
Acoragil
line, then all users infected with
the
mIRC.Acoragil
worm will be automatically disconnected from that chan-
nel. The same happens with the
mIRC.Simpsalapim
worm – it reacts in a
similar manner to the
Simpsalapim
line.
Infection source
: through the network, using mIRC commands, the worms
send their code in
SCRIPT.INI
file to each new user connecting to the
channel.6
Activity algorithm
: the worms contain a Trojan code portion.
mIRC.Simpsalapim
contains a code for IRC channel capture: if the
mIRC channel owner is infected, input of the password (
ananas
)
will
enable a hacker to seize control of the channel.
mIRC.Acoragil
sends DOS, Windows or UNIX system files according to
received code words. Some code words are chosen in such a manner
as to attract no attention of the victim –
hi
or
the
. One of worm modifica-
tions sends the UNIX password file to the hacker.
