Known as the Adore worm, the program is designed to create so-called back doors in the security of Linux systems and send information identifying the compromised systems to four different e-mail addresses hosted on servers in China and the United States.
"It seems to be a variant of the Ramen worm," said David Dittrich, security administrator for the University of Washington and an expert on digital forensics and hacking tools.
The Ramen worm, which used three well-known security flaws to infect systems using the Red Hat distribution of Linux, hit in mid-January and infected an unknown number of computers.
The vulnerabilities exploited by Ramen occur in three programs shipped with most Linux distributions and installed by default.
The 1i0n worm, discovered last month by the Systems Administration Networking and Security Institute (SANS), used a fourth flaw to spread among servers that had domain name service, or DNS, software installed.
The Adore worm--also known as the Red worm--uses all four flaws to automatically break into vulnerable systems. While patches have existed for all the vulnerabilities for at least a few months, most system administrators have not patched their systems, said Matt Fearnow, incident handler for the SANS Global Incident Analysis Center.
"Three out of four of these exploits were patched back in August," he said. "We can only get after the system administrators to keep their systems patched."
Once in a system, the Adore worm replaces an application known as PS--used by administrators to list the currently running programs on a system--with a copy that will list all programs except the worm.
Then it will send a copy of several key system files to four e-mail addresses: two in the United States and two in China. Each e-mail uses the username adore9000 or adore9001, hence the worm's name.
SANS has released a program called "adorefind" that can detect whether a system has been compromised by the worm.
The worm appears to be spreading somewhat quickly and hammering a variety of servers with scans aimed at uncovering telltale signs of the vulnerable programs.
On the Bugtraq list moderated by SecurityFocus.com, several administrators raised concerns about aggressive scanning of their systems.
"Numerous people are reporting heavy scanning...from a lot of different hosts," wrote one administrator.
Another person discovered the worm in one of his Red Hat Linux machines. "One of these (scans) succeeded in breaking into a unpatched Red Hat 6.2 box," he wrote.
Hidden back door
The online vandals who released the worm appear to be using it as a way to compromise a large number of systems.
In addition to its other activities, the worm replaces a basic Internet service, known as ICMP (Internet Control Message Protocol), with an almost identical version. The new version of the program opens up a back door--bypassing security--whenever it receives the proper command sequence from the Internet.
ICMP is typically used to send error information from machine to machine across the Internet.
After infecting a machine and sending information about the computer through e-mail, the worm waits until 4:02 a.m. and then deletes all its files, except the backdoor.