McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

The Cheese worm was designed to spread using backdoor left open by others attacks, specifically it attempts to connect to port 10008 which is the port used by known RootKit for the ISC Bind vulnerability.
On an infected system the cheese worm scans the file inetd.conf for lines containing /bin/sh (tipically backdoors) and remove them. It then restart the inetd deamon so that existing rootkits won't be listening anymore for connections and then scan a /16 network range for open 10008 ports to propagate further.

Upon execution the worm checks for the presence of the file ADL. If the file exist the execution stops immediately.

Symptoms

Presence of any of these files on the system:

• cheese 2381
• go 47
• psm 15471

Method of Infection

This worm spread by using a backdoor opened by another rootkit.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

The Cheese worm was designed to spread using backdoor left open by others attacks, specifically it attempts to connect to port 10008 which is the port used by known RootKit for the ISC Bind vulnerability.
On an infected system the cheese worm scans the file inetd.conf for lines containing /bin/sh (tipically backdoors) and remove them. It then restart the inetd deamon so that existing rootkits won't be listening anymore for connections and then scan a /16 network range for open 10008 ports to propagate further.

Upon execution the worm checks for the presence of the file ADL. If the file exist the execution stops immediately.

Symptoms

Symptoms -

Presence of any of these files on the system:

• cheese 2381
• go 47
• psm 15471

Method of Infection

Method of Infection -

This worm spread by using a backdoor opened by another rootkit.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A