Linux/Ramen

Please note: This worm does not infect Windows users.

This is an internet worm for Linux. It attempts to use three remote exploits to gain access to computers running Red Hat 6.2 and 7.0. Once it has access on the computer it downloads a copy of itself to /tmp/ramen.tgz and extracts itself to the /usr/src/.poop directory. It appends a line to /etc/rc.d/rc.sysinit so it is executed on startup.

Once executed the worm remains running until the machine is switched off. While the worm is active it will choose a class B internet network at random and probe all addresses in the range looking for machines to infect.

The worm may delete /usr/sbin/lpd or /sbin/rpc.statd or /usr/sbin/rpc.statd to close the exploit it used to gain access to the system.

In order to propagate copies of itself it installs a service named asp, either by appending a line to /etc/inetd.conf or by overwriting the file /etc/xinetd.conf. The worm replaces all index.html files on the computer with an HTML file containing the text

'Hackers looooooooooooooooove noodles.'

Sophos recommends Red Hat Linux users update their systems with the latest security patches.

For more information, please consult the Red Hat Linux website.