Linux/Ramen.worm

Content

Linux/Ramen.worm

Type: Virus
SubType: Internet Worm
Discovery Date: 01/17/2001
Length
Minimum DAT: 4117 (01/24/2001)
Updated DAT: 5069 (07/06/2007)
Minimum Engine: 5.1.00
Description Added: 01/17/2001
Description Modified: 07/23/2002 5:02 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This is an Internet worm for Linux web servers. This worm consists of several components, each with a specific function and purpose.

The worm copies itself to Linux systems which contain two exploits. The file transferred is ramen.tgz.

Symptoms

Index pages on affected Web servers may have content modified with the text:

RameN Crew

Hackers looooooooooooooooove noodles.�

This site powered by

Method of Infection

This worm will gain root access to Linux web servers using at least one known vulnerability. Once root access is granted, the worm will extract itself to the host and through the use of Elf binaries and shell scripts, will run instructions to seek available servers across the Internet.
This worm uses an exploit with a vulnerability in WU-Ftp servers. If not patched, this service can be exploited using a method called site exec. Detailed information about updating to prevent this type of attack on Redhat 6x versions is available here.
A second exploit used by this worm is a vulnerability in the RPC server rpc.statd. If this service is not patched, it could be possible to construct an instruction which uses the function known as syslog() to exploit and gain root access. Patch availability is found at this link for Redhat 6x versions.

A third method of exploit is used against Redhat 7 installations, an exploit of the print spooler service LPRng. This service also contains a supported function called syslog() which can be exploited to gain root access. Patch availability is found at this link for Redhat 7x versions.

Once root access is gained against the Linux server, several scripts and Elf binaries are executed in order to carry out further propagation. Specifically, a synscan is carried out in order to locate possible host targets as Redhat 6 and 7 Linux servers across the Internet. This scan is run within a program named synscan62.
One side effect of this worm is that it removes the service which was exploited to gain access. This essentially prevents a multiple-infection or reoccurrence of this method of attack.

Removal

Use specified DAT and Engine for detection and removal.
Additional Instructions:
This worm uses an exploit with a vulnerability in WU-Ftp server. This service if not patched can be exploited using a method called site exec. Detailed information about updating to prevent this type of attack on Redhat 6x versions is available here.
A second exploit used by this worm is a vulnerability in the RPC server rpc.statd. If this service is not patched, it could be possible to construct an instruction which uses the function known as syslog() to exploit and gain root access. Patch availability is found at this link for Redhat 6x versions.

A third method of exploit is used against Redhat 7 installations, an exploit of the print spooler service LPRng. This service also contains a supported function called syslog() which can be exploited to gain root access. Patch availability is found at this link for Redhat 7x versions.
Edit /etc/rc.d/rc.sysinit and remove any references to running a script from the folder /usr/src/.poop. Additionally you can delete this folder. Remove invalid references in the inetd.conf configuration file as well.
A restart of the system is fully recommended.

Variants

Variants

N/A

All Information

Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases

Elf_Ramen (Trend)

Linux.Ramen

Linux.Ramen.Worm (NAV)

Worm.Linux.Ramen

Characteristics

Characteristics -
This is an Internet worm for Linux web servers. This worm consists of several components, each with a specific function and purpose.
The worm copies itself to Linux systems which contain two exploits. The file transferred is ramen.tgz.

Symptoms

Symptoms -
Index pages on affected Web servers may have content modified with the text:

RameN Crew

Hackers looooooooooooooooove noodles.�

This site powered by

Method of Infection

Method of Infection -

This worm will gain root access to Linux web servers using at least one known vulnerability. Once root access is granted, the worm will extract itself to the host and through the use of Elf binaries and shell scripts, will run instructions to seek available servers across the Internet.
This worm uses an exploit with a vulnerability in WU-Ftp servers. If not patched, this service can be exploited using a method called site exec. Detailed information about updating to prevent this type of attack on Redhat 6x versions is available here.
A second exploit used by this worm is a vulnerability in the RPC server rpc.statd. If this service is not patched, it could be possible to construct an instruction which uses the function known as syslog() to exploit and gain root access. Patch availability is found at this link for Redhat 6x versions.

A third method of exploit is used against Redhat 7 installations, an exploit of the print spooler service LPRng. This service also contains a supported function called syslog() which can be exploited to gain root access. Patch availability is found at this link for Redhat 7x versions.

Once root access is gained against the Linux server, several scripts and Elf binaries are executed in order to carry out further propagation. Specifically, a synscan is carried out in order to locate possible host targets as Redhat 6 and 7 Linux servers across the Internet. This scan is run within a program named synscan62.
One side effect of this worm is that it removes the service which was exploited to gain access. This essentially prevents a multiple-infection or reoccurrence of this method of attack.

Removal -

Removal -

Use specified DAT and Engine for detection and removal.
Additional Instructions:
This worm uses an exploit with a vulnerability in WU-Ftp server. This service if not patched can be exploited using a method called site exec. Detailed information about updating to prevent this type of attack on Redhat 6x versions is available here.
A second exploit used by this worm is a vulnerability in the RPC server rpc.statd. If this service is not patched, it could be possible to construct an instruction which uses the function known as syslog() to exploit and gain root access. Patch availability is found at this link for Redhat 6x versions.

A third method of exploit is used against Redhat 7 installations, an exploit of the print spooler service LPRng. This service also contains a supported function called syslog() which can be exploited to gain root access. Patch availability is found at this link for Redhat 7x versions.
Edit /etc/rc.d/rc.sysinit and remove any references to running a script from the folder /usr/src/.poop. Additionally you can delete this folder. Remove invalid references in the inetd.conf configuration file as well.
A restart of the system is fully recommended.

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

Linux/Ramen.worm

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer