BSD.Worm.Scalper Analysis

Virus analyzed by:

Sorin Victor DUDEA

BitDefender Virus Researcher

http://www.bitdefender.com

Name: BSD.Worm.Scalper

Aliases: FreeBSD.Scalper.Worm

Type: Executable Worm Mailer

Size: ~51626 bytes

Discovered: 06, 29, 2002

Detected: 06, 29, 2002, 14:00 (GMT+2)

Spreading: Low

Damage: Low

ITW: Unknown

Symptoms:

– file .a in tmp

Technical description:

This is an Internet worm that attacks Apache servers running under FreeBSD platforms.

It uses the Apache HTTP Server chunk encoding stack overflow vulnerability to upload itself and run under those operating systems.

After its first execution the worm starts scanning for Apache servers running under FreeBSD OS and if it finds any it uses the above vulnerability to upload and execute itself.

For every web page it finds, it will download them and search for e-mail addresses in its html pages. When it finishes searching it will send spam emails to those addresses using a public SMTP server.

HNS Note: Apache Chunk Handling Roundup is available here:

http://www.net-security.org/article.php?id=134