McAfee > Theat Center > Virus Detail Page

Overview

This is the detection for the malware known as Solaris Telnet Worm, which exploits a flaw in this remote access service using a known vulnerability (CVE-2007-0882).

The vendor has issued a patch for this vulnerability. More information from the vendor at:

• http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

 

Characteristics

-- Update March 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.informationweek.com/news/showArticle.jhtml?articleID=197700106

--

This is the detection for the malware known as Solaris Telnet Worm, which exploits a flaw in this remote access service using a known vulnerability (CVE-2007-0882).

It attempts to log in as the "adm" or "lp" users, both of which are accounts created by default on Solaris systems.

When successful, it can install files with the following hardcoded filenames, via telnet commands transmitted as uuencoded data:

• .lp-door.i86pc (SunOS/Wanukdoor, x86)
• .lp-door.sun4 (SunOS/Wanukdoor, Sparc)
• .i86pc (SunOS/Wanuk.worm, x86)
• .sun4 (SunOS/Wanuk.worm, Sparc)

In one or more of the following hardcoded path(s):

• /var/adm/sa/.adm
• /var/spool/lp/admins/.lp

Then creates a new cron job to restart itself (schedule task), and can perform other tasks to secure its presence on the system such as hiding itself from shell history.

This malware brings several references to old time worms, like:
Your System Has Been Officically WANKed , or
(^.^) insert witty message here. (^.^)

More information of the Solaris Telnetd vulnerability at:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882

The vendor has issued a patch for this vulnerability. More information from the vendor at:

• http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

 

Symptoms

• The system infected will scan other networks for port 23 and open a backdoor, already identified as SunOS/Wanukdoor.
• Presence of the files mentioned.

 

Method of Infection

Exploitation of telnet remote access services using a known vulnerability (CVE-2007-0882).

Removal

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants

N/A

All Information

Overview -

This is the detection for the malware known as Solaris Telnet Worm, which exploits a flaw in this remote access service using a known vulnerability (CVE-2007-0882).

The vendor has issued a patch for this vulnerability. More information from the vendor at:

• http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

 

Characteristics

Characteristics -

-- Update March 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.informationweek.com/news/showArticle.jhtml?articleID=197700106

--

This is the detection for the malware known as Solaris Telnet Worm, which exploits a flaw in this remote access service using a known vulnerability (CVE-2007-0882).

It attempts to log in as the "adm" or "lp" users, both of which are accounts created by default on Solaris systems.

When successful, it can install files with the following hardcoded filenames, via telnet commands transmitted as uuencoded data:

• .lp-door.i86pc (SunOS/Wanukdoor, x86)
• .lp-door.sun4 (SunOS/Wanukdoor, Sparc)
• .i86pc (SunOS/Wanuk.worm, x86)
• .sun4 (SunOS/Wanuk.worm, Sparc)

In one or more of the following hardcoded path(s):

• /var/adm/sa/.adm
• /var/spool/lp/admins/.lp

Then creates a new cron job to restart itself (schedule task), and can perform other tasks to secure its presence on the system such as hiding itself from shell history.

This malware brings several references to old time worms, like:
Your System Has Been Officically WANKed , or
(^.^) insert witty message here. (^.^)

More information of the Solaris Telnetd vulnerability at:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882

The vendor has issued a patch for this vulnerability. More information from the vendor at:

• http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

 

Symptoms

Symptoms -

• The system infected will scan other networks for port 23 and open a backdoor, already identified as SunOS/Wanukdoor.
• Presence of the files mentioned.

 

Method of Infection

Method of Infection -

Exploitation of telnet remote access services using a known vulnerability (CVE-2007-0882).

Removal -

Removal -

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants -

N/A