Linux/Adore

When Adore is running, it scans for vulnerable hosts from random Class B subnets on the network. If vulnerable host is found, attempts to download the main worm part from a web server located in China, in a similar way that Lion worm does.

After the worm has been downloaded to the victim machine, it is stored in to "/usr/local/bin/lib/" directory and "start.sh" is executed launching the worm.

At the start, "start.sh" replaces "/bin/ps" with trojanized version that does not show processes that are part of the worm. The original "/bin/ps" command is copied "/usr/bin/anacron".

The script also replaces "/sbin/klogd" with a version that has a backdoor. The backdoor activates when it receives a ping packet with correct size, and opens a shell in the port 65535. Orginal "klogd" will be saved to "/usr/lib/klogd.o".

The worm sends sensitive system data, including contents of the "/etc/shadow" file to four different email addresses.

Adore also creates a script file "/etc/cron.daily/0anacron". This file will be executed by the cron daemon with the next daily run. At this time, the worm will remove itself from the system and restore the original "/bin/ps". All worm related processes except the backdoor will be shut down, and the system will be restarted if "/sbin/shutdown" exists. The backdoor will start after the system has been restarted as the "/sbin/klogd" still contains the backdoor.

All four vulnerabilities have been already fixed by different Linux vendors. Further information is available at:

Debian GNU/Linux: https://www.debian.org/security/

Linux Mandrake: (updated 3 Mar 2020): PC World: Mandriva Linux is dead, but these 3 forked distros carry on its legacy

SuSE: https://www.suse.com/en/support/security/index.html

RedHat Linux: https://www.redhat.com/support/errata/

F-Secure Anti-Virus detects the Adore worm with the current updates.