Skip navigation.


md5sum: a3b3f9fb1370d8bc561efd4a2a75af33 *linux_ramen.tar.gz
sha1sum: 3b19e059cd3aba6b762689634451b4a8633408cb linux_ramen.tar.gz

Does this board really allow me to edit other user's articles? Answer: Yes. -- INT 0x21

This is not, in fact, the Ramen worm. It's ADMw0rm

ClamAV scanned this file as "Worm.ADM-3" and I thought that it was a false positive. But the MD5 didn't match that of my Ramen sample (which I'll upload shortly.) So, I examined it, and it was odviously ADMw0rm. (The w0rm/ADMw0rm kinda gives that away.)

The original filename/size/MD5/etc. is:

Original Location:
Size (in bytes):
Timestamp (my copy):
1999-03-22 21:23:00.000000000 -0800

Appearantly, it was first made public on May 29, 1998, so the mtime on must have changed in Mar 1999.

The uncompressed .tar file's MD5sum is: "6c5c2a7af25f4ae55658ea6b3dcb10fa", which is the same as the gunzip'ped contents of this "linux_ramen.tar.gz". So, apparently, someone's just re-gzip'ped this and re-named it.

This is the list of files:

block 0: drwxr-xr-x root/root 0 1998-05-16 16:35:55 w0rm/
block 1: -rwxr-xr-x root/root 765 1998-05-12 16:43:54 w0rm/incremental
block 4: -rwxr-xr-x root/root 545 1998-05-10 10:14:21 w0rm/gimmeIP
block 7: -rw-r--r-- root/root 819 1998-05-16 16:35:55 w0rm/README
block 10: -rw-r--r-- root/root 314 1998-05-13 06:47:39 w0rm/gimmeRAND.c
block 12: -rw-r--r-- root/root 1483 1998-05-13 06:41:34 w0rm/scanconnect.c
block 16: -rw-r--r-- root/root 4098 1998-05-01 04:37:40 w0rm/remotecmd.c
block 26: -rw-r--r-- root/root 5892 1998-05-13 06:44:50 w0rm/named_ADMv2.c
block 39: -rwxr-xr-x root/root 1725 1998-05-14 19:57:24 w0rm/ADMw0rm
block 44: -rw-r--r-- root/root 4299 1998-05-10 10:42:12 w0rm/testvuln.c
block 54: -rwxr-xr-x root/root 670 1998-05-14 19:47:19 w0rm/startup
block 57: ** Block of NULs **

This is the README file:
(This really needs <pre> tags around it, but drupal (is that what this site is running?) doesn't seem to allow <pre> tags. I don't feel like tweeking the spaces to keep the ascii art formatted.)

___ ______ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
..oO THE | --- | | / | | | | CreW Oo..
''' ''' ''''''' '''' ''''

the adm inet w0rm...

the w0rm is a linux/x86 spef he exploit the bind/iquery vuln

no help allowed just look ADMw0rm and startup ....

take care about one things!!! dont launch the w0rm on your box
cuz he create a big security problem.... :p
it's just for educational purpose of coursseeeeeeeeeeee


Sweden chix has born to be fuck

find 'em
fuck 'em
forget 'em


Attacks ISC BIND versions installed by default on RedHat 4.0 thru 5.2, and possibly BIND 4.9.6. (I havn't tested this myself.) It creates a "w0rm" null-passworded user account, with a setuid rootshell "/tmp/.w0rm". And there were several variations in the wild. (So saith: Max Vision)

CERT's Summary:
CVE enumeration:
CAN-1999-0660 (Should probably get a CME number now that Mitre is doing that.)

On Feb. 28 (1999?) Max Vision <> wrote: "A Brief Analysis of the ADM Internet Worm", which was available at: (Site's been down for the last few months.) You can see a copy of it at: and I'm sure there's other copies floating around. (Oh yeah,

More Google searches will turn up more info on this. There were alot of messages about it on [Bugtraq] and stuff. Personally, I've never touched this worm, so I don't have any new info to add.