Skip navigation.
Home

linux_ramen

md5sum: a3b3f9fb1370d8bc561efd4a2a75af33 *linux_ramen.tar.gz
sha1sum: 3b19e059cd3aba6b762689634451b4a8633408cb linux_ramen.tar.gz

http://securityresponse.symantec.com/avcenter/venc/data/linux.ramen.worm.html

Does this board really allow me to edit other user's articles? Answer: Yes. -- INT 0x21

This is not, in fact, the Ramen worm. It's ADMw0rm

ClamAV scanned this file as "Worm.ADM-3" and I thought that it was a false positive. But the MD5 didn't match that of my Ramen sample (which I'll upload shortly.) So, I examined it, and it was odviously ADMw0rm. (The w0rm/ADMw0rm kinda gives that away.)

The original filename/size/MD5/etc. is:

Original Location:
ftp://adm.freelsd.net/pub/ADM/ADMw0rm-v1.tgz
Size (in bytes):
7427
Timestamp (my copy):
1999-03-22 21:23:00.000000000 -0800
MD5:
4af67c45fda4e20affe8dcaa40baad93
SHA1:
ceb1972cb5b82c6367ce1fec2aa2b7f7b9b8378f

Appearantly, it was first made public on May 29, 1998, so the mtime on adm.freelsd.net must have changed in Mar 1999.

The uncompressed .tar file's MD5sum is: "6c5c2a7af25f4ae55658ea6b3dcb10fa", which is the same as the gunzip'ped contents of this "linux_ramen.tar.gz". So, apparently, someone's just re-gzip'ped this and re-named it.

This is the list of files:

block 0: drwxr-xr-x root/root 0 1998-05-16 16:35:55 w0rm/
block 1: -rwxr-xr-x root/root 765 1998-05-12 16:43:54 w0rm/incremental
block 4: -rwxr-xr-x root/root 545 1998-05-10 10:14:21 w0rm/gimmeIP
block 7: -rw-r--r-- root/root 819 1998-05-16 16:35:55 w0rm/README
block 10: -rw-r--r-- root/root 314 1998-05-13 06:47:39 w0rm/gimmeRAND.c
block 12: -rw-r--r-- root/root 1483 1998-05-13 06:41:34 w0rm/scanconnect.c
block 16: -rw-r--r-- root/root 4098 1998-05-01 04:37:40 w0rm/remotecmd.c
block 26: -rw-r--r-- root/root 5892 1998-05-13 06:44:50 w0rm/named_ADMv2.c
block 39: -rwxr-xr-x root/root 1725 1998-05-14 19:57:24 w0rm/ADMw0rm
block 44: -rw-r--r-- root/root 4299 1998-05-10 10:42:12 w0rm/testvuln.c
block 54: -rwxr-xr-x root/root 670 1998-05-14 19:47:19 w0rm/startup
block 57: ** Block of NULs **

This is the README file:
(This really needs <pre> tags around it, but drupal (is that what this site is running?) doesn't seem to allow <pre> tags. I don't feel like tweeking the spaces to keep the ascii art formatted.)

___ ______ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
..oO THE | --- | | / | | | | CreW Oo..
''' ''' ''''''' '''' ''''
presents

the adm inet w0rm...

the w0rm is a linux/x86 spef he exploit the bind/iquery vuln

no help allowed just look ADMw0rm and startup ....

take care about one things!!! dont launch the w0rm on your box
cuz he create a big security problem.... :p
it's just for educational purpose of coursseeeeeeeeeeee

Cyaaaaaaaaaaaaaaaaaaaaaaaaaa

Sweden chix has born to be fuck

--3xF--
find 'em
fuck 'em
forget 'em
--3xF--

Analysis:

Attacks ISC BIND versions installed by default on RedHat 4.0 thru 5.2, and possibly BIND 4.9.6. (I havn't tested this myself.) It creates a "w0rm" null-passworded user account, with a setuid rootshell "/tmp/.w0rm". And there were several variations in the wild. (So saith: Max Vision)

CERT's Summary:
CS-98.05 http://www.cert.org/summaries/CS-98.05.html
CVE enumeration:
CAN-1999-0660 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660 (Should probably get a CME number now that Mitre is doing that.)

On Feb. 28 (1999?) Max Vision <vision@whitehats.com> wrote: "A Brief Analysis of the ADM Internet Worm", which was available at: http://www.whitehats.com/library/worms/adm/index.html (Site's been down for the last few months.) You can see a copy of it at: http://web.archive.org/web/20050301030014/http://www.whitehats.com/library/worms/adm/index.html and I'm sure there's other copies floating around. (Oh yeah, http://www.google.com/search?q=%22A+Brief+Analysis+of+the+ADM+Internet+Worm%22)

More Google searches will turn up more info on this. There were alot of messages about it on [Bugtraq] and stuff. Personally, I've never touched this worm, so I don't have any new info to add.

--
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*