Event ID - 110

Port No110
Service NameADM worm
RFC Doc0
ProtocolTCP
DescriptionThis Linux script malware contains several components of scripts and binaries that attempt to exploit the vulnerable BIND (Berkeley Internet Name Domain) systems to gain access as well as attack other systems by copying its package to these vulnerable systems. The malware creates a user account "w0rm" with NULL password and sends the target machine's IP address to the remote user, which is assumed to be the author of the malware. It propagates by scanning a range of IP addresses on the Internet for other vulnerable systems. Most of its malicious components are detected as UNIX_ADM.WORM.A but there are other components that are detected as UNIX_HIJACK.A.
Reference Link ADM worm Trojan
AttackSOLUTION :
PREVENTING YOUR SYSTEM FROM THIS ATTACK
To make sure that your system is immune from this exploit, you will need to upgrade to the current version of BIND.

REPAIRING THE INFECTED SYSTEM
Type in the following commands on the Linux command prompt:
1.To delete SUID Root Shell created by the malware, type: /bin/rm -rf /tmp/.w0rm
2.To terminate the running malware process from memory, type:/usr/bin/killall -9 ADMw0rm
3.To delete worm’s files located in its created subfolder, type:/bin/rm -rf /tmp/.w0rm0r
4.To remove the worm user account created by the malware, type:/usr/sbin/userdel -r w0rm

Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as UNIX_ADM.WORM.A or UNIX_HIJACK.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

NOTE :
The clean procedures above remove the malware in an infected system. The security settings that were modified by the malware, however, need to be restored. After the infection, the malware compromises the system at the root level and sends the IP address to the remote user, thus enabling him/her to log in and perform other security attacks. Please consult the system administrator to restore the security settings of the affected network.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.