i just want warn everyone about this worm, becasue i got it, but dont know how to take it of. but i just found its detail
if anyone know more detail, plz tell me how to take it off from my linux.
09/15/2002)--F-Secure: Linux.Slapper worm found from more than 100 countries.
THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER F-SECURE RADAR. This is a high level alert! F-Secure issues Level 1 alerts when the security risk is substantial. This includes viruses, worms, and/or denial of service attacks that have the ability to spread quickly and become widespread with the ability to inflict major damage to systems.
Note: F-Secure is upgrading Linux.Slapper worm to Alert Level 1 as it continues to spread rapidly. Slapper has been sighted on more than 13000 Linux servers, representing more than 100 countries.
Slapper is a network worm that spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday September 13th 2002.
The worm typically affects Linux machines that are running Apache web server with OpenSSL enabled. Apache installations cover more than 60% of public web sites in the internet. It can be estimated that less than 10% of these installations have enabled SSL services. By some estimates, there are over one million active OpenSSL installations in the public web. A very big part of these machines have not yet been patched to close this hole, and are thus prone to infection by the Slapper worm.
Once a machine gets infected by Slapper, it joins a massive peer-to-peer denial-of-service network, which can be controlled by the virus author.
The worm works on Intel-based machines running Linux distributions from Red Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.
Slapper is very similar to the Scalper Apache worm, which was found in June 2002. The basic theory of operation is similar to the first widespread web worm, Code Red. Code Red infected more than 350000 websites running Microsoft IIS in July 2001.
The worm is visible in the infected system as a process ".bugtraq". An infected system can be disinfected by terminating the worm's process, and by removing the files created into temporary directory:
/tmp/.uubugtraq
/tmp/.buqtraq.c
/tmp/.bugtraq
The Apache web server must be shut down as well and the OpenSSL libary must be upgraded to a fixed version (0.9.6e or above) in order to avoid reinfection.
Note: Detection for F-Secure Anti-Virus was published on September 14th, 2002:
[FSAV_Database_Version]
Version=2002-09-14_01
For a detailed description of the Linux.Slapper worm:
http://www.fsecure.com/slapper/