Worm Detected

New (3.1.4)

Impact

There is evidence that the system has been penetrated by an Internet worm. Files or system information may have been transmitted to remote parties, or unauthorized file modifications may have taken place. Furthermore, it is likely that the system is being used as a potential launching point for further propogation of the worm across the network.

Background

A worm is a self-replicating program designed to spread across a network without requiring any outside actions to take place. The main difference between a worm and a virus is that a virus relies on human actions, such as sending e-mail or sharing files, to copy itself from one computer to another, whereas a worm is able to do so independently, allowing it to spread much faster.

The Problem

The Ramen worm spreads using Red Hat Linux 6.2 and 7.0 systems by exploiting well-known vulnerabilities in wu-ftpd, rpc.statd, and LPRng. When the Ramen worm installs itself on a new host, it takes the following actions:

Resolution

The paragraph below explains how to remove the Ramen worm from an infected system. However, removal of the worm does not solve the problem at its roots. The presence of the worm is evidence that a critical vulnerability exists on the host. The system should be taken offline until it is certain that wu-ftpd, rpc.statd, and LPRng are upgraded to the latest, patched versions.

To remove the worm, follow these steps:

  1. Delete /usr/src/.poop and /sbin/asp.
  2. If it exists, remove /etc/xinetd.d/asp
  3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any file in /etc/src/.poop.
  4. Remove any lines in /etc/inetd.conf referring to /sbin/asp.
  5. Reboot the system or manually kill any processes such as synscan, start.sh, scan.sh, hackl.sh, or hackw.sh.

Where can I read more about this?

This worm was discussed in an X-Force advisory and in the Symantec AntiVirus Research Center.

For general information about worms and how they differ from viruses, see the Symantec AntiVirus Research Center.