New Worm

[rajan.sachdeva@xxxxxxxxxxxxx]

FYI

Dangerous New Worm Spreading on the Internet, Affecting Linux Systems

On March 22, the SANS Institute (through its Global Incident Analysis
Center) uncovered a dangerous new worm that appears to be spreading rapidly
across the Internet.  It scans the Internet looking for Linux computers
with a known vulnerability. It infects the vulnerable machines, steals the
password file  (sending it to a China.com site), installs other hacking
tools, and forces the newly infected machine to begin scanning the Internet
looking for other victims.

The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously.  It
infects Linux machines running the BIND DNS server.  It is known to infect
bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. The
specific vulnerability used by the worm to exploit machines is the TSIG
vulnerability that was reported on January 29, 2001.

At this time, the Lionfind detection utility is not able to remove the
virus from the system.  If and when an updated version becomes available
(and SANS expects to provide one), an announcement will be made at the SANS
site.

For full details on the story from the SANS website, go to:
http://www.sans.org/y2k/lion.htm

To download a utility called Lionfind that will detect the Lion files on an
infected system, go to: http://www.sans.org/y2k/lionfind-0.1.tar.gz





This message is for the designated recipient only and may contain
privileged or confidential information.  If you have received it in error,
please notify the sender immediately and delete the original.  Any other
use of the email by you is prohibited.