McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

The Walk worm takes advantage of a vulnerability in the telnetd deamon on BSD systems.
It begin by scanning random IP addressed looking for a vulnerable telnetd. Once found, it compromise the system by opening a backdoor and restart the cycle.
By exploiting telnetd it execute a series of command on the remote system:
- copyes the source code from http://mri.am.lublin.pl/x.c to /x.c
- compiles it to x, removes the sources
- sets permissions on the binary to 555, strips the binary
- sets the binary timestamp to the same value as /usr/sbin/cron
- copy the binary to '/usr/bin/cron[space]' and executes it
- adds a reference to rc.local
- adds a line to inetd.conf to spawn a shell attached to port 145 (uaac). Anyone conecting to port 145 will control a shell with root permissions
- adds a line 'sh: ALL' to /etc/host.allow
- restart inetd

Symptoms

This worm spread by compromising systems with a vulnerable telnetd deamon.

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

The Walk worm takes advantage of a vulnerability in the telnetd deamon on BSD systems.
It begin by scanning random IP addressed looking for a vulnerable telnetd. Once found, it compromise the system by opening a backdoor and restart the cycle.
By exploiting telnetd it execute a series of command on the remote system:
- copyes the source code from http://mri.am.lublin.pl/x.c to /x.c
- compiles it to x, removes the sources
- sets permissions on the binary to 555, strips the binary
- sets the binary timestamp to the same value as /usr/sbin/cron
- copy the binary to '/usr/bin/cron[space]' and executes it
- adds a reference to rc.local
- adds a line to inetd.conf to spawn a shell attached to port 145 (uaac). Anyone conecting to port 145 will control a shell with root permissions
- adds a line 'sh: ALL' to /etc/host.allow
- restart inetd

Symptoms

Symptoms -

This worm spread by compromising systems with a vulnerable telnetd deamon.

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A