Informational Advisory - Ramen Worm Last Updated 1/17/00

This worm takes advantage of security holes in default installations of Redhat 6.2 and 7.0. The Ramen scans for RPC.statd and wu-FTP vulnerabilities. If the worm gains root access to the system it installs itself as a “root kit,” which professes to patch these security holes. If the compromised machine serves web pages, then the worm also replaces the default Web page with a page that contains the text: “RameN Crew-Hackers looooooooooooove noodles.” After the worm installs itself it sends an e-mail message to two specific accounts, and then reboots the machine. It then starts scanning for other vulnerable machines which consumes considerable bandwith. This behavior can facilitate its detection.

For more information see:

http://vil.nai.com/vil/virusSummary.asp?virus_k=98975 from NAI.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.