From: Robert Harley (Robert.Harley@inria.fr)
Date: Thu May 17 2001 - 09:00:02 PDT
Seen on LinuxToday: a good virus that goes around fixing up the mess
left by a bad one!
http://linuxtoday.com/news_story.php3?ltsn=2001-05-17-002-20-SC
==============================================================================
Cheese the Friendly Worm is loose, out to close back doors left open
by the recent Lion worm, which exploited vulnerabilities in BIND.
According to the Computer Emergency Response Team at Carnegie Mellon,
the Cheese worm exploits the same back door Lion used, applies a patch
to eliminate the back doors left by Lion, then runs scans from the
host it's just visited to find other infected machines with port 10008
open, and spreads to them, applying its patch as it goes.
This mail on the SecurityFocus.com incidents mailing list described
the worm in action:
It scans 10008 port which opened by 1i0n worm. and removes rootshells
from inetd.conf
It says
# removes rootshells running from /etc/inetd.conf
# after a l10n infection... (to stop pesky haqz0rs
# messing up your box even worse than it is already)
# This code was not written with malicious intent.
# Infact, it was written to try and do some good.
[...]
==============================================================================
R
.-. .-.
/ \ .-. .-. / \
/ \ / \ .-. _ .-. / \ / \
/ \ / \ / \ / \ / \ / \ / \
/ \ / \ / `-' `-' \ / \ / \
\ / `-' `-' \ /
`-' `-'
This archive was generated by hypermail 2b29 : Thu May 17 2001 - 13:43:37 PDT