This Linux script malware contains several components of scripts and binaries that attempt to exploit the vulnerable BIND (Berkeley Internet Name Domain) systems to gain access as well as attack other systems by copying its package to these vulnerable systems.
The malware creates a user account "w0rm" with NULL password and sends the target machine's IP address to the remote user, which is assumed to be the author of the malware.
It also overwrites all INDEX.HTML files in an infected system with the following text strings:
"The ADM Inet w0rm is here !".
It propagates by scanning a range of IP addresses on the Internet for other vulnerable systems.
Most of its malicious components are detected as UNIX_ADM.WORM.A but there are other components that are detected as UNIX_HIJACK.A.
Reference Link
Attack
Solutions:
Type in the following commands on the Linux command prompt:
To delete SUID Root Shell created by the malware, type:
/bin/rm -rf /tmp/.w0rm
To terminate the running malware process from memory, type:
/usr/bin/killall -9 ADMw0rm
To delete worm’s files located in its created subfolder, type:
/bin/rm -rf /tmp/.w0rm0r
To remove the worm user account created by the malware, type:
/usr/sbin/userdel -r w0rm
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats and thwart attacks before they cause damage.