McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

BSD/Scalper.worm

This page shows details and results of our analysis on the malware BSD/Scalper.worm

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2002-06-28

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4210 (2002-07-03)

Updated DAT

4210 (2002-07-03)

 Minimum Engine

5.1.00

File Length

0

 Description Added

2002-06-28

Description Modified

2002-11-12

Malware Proliferation

Characteristics

This worm spreads over Apache web servers on FreeBSD by using the Chunked Encoding exploit.

It first sends an ordinary request to the server. If it gets a reply back saying that the server is Apache it will send the exploit regardless of the target server being vulnerable or not.

The worm appears to give an attacker remote control abilities, including DDoS capability. Each worm installation keeps in memory a list of all the IPs infected from it so that all infected servers are connected in a tree like fashion. Commands sent to one node propagate to its children and include:

  • execution of arbitrary commands,
  • udp, tcp, mail, dns, http, raw floods to specific hosts,
  • retrieve the emails from the entire file system,
  • attack a specific server,
  • update the children node list to extend the tree structure to a generic graph,
  • self update. When an update is issued from the parent worm, the new binary is uploaded into the file /tmp/init and started. After that the parent process kills itself.
There are two variants, 51,199 bytes and 51,626 bytes long (the available sources suggest there may be four different variants compiled for different situations).

Symptoms

Excess Internet activity.
Presence of *.a and *.uua files

Method of Infection

This worm uses an exploit in the FreeBSD Apache server.

Removal

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

United States - English