Conventions

Analysis Method

Tools Used

Answers

1. Which is the type of the .unlock file? When was it generated? 2a. Based on the source code, who is the author of this worm? 2b. When it was created? 2c. Is it compatible with the date from question 1? 3. Which process name is used by the worm when it is running? 4a. In wich format the worm copies itself to the new infected machine? 4b. Which files are created in the whole process? 4c. After the worm executes itself, wich files remain on the infected machine? 5. Which port is scanned by the worm? 6. Which vulnerability the worm tries to exploit? In which architectures? 7. What kind of information is sent by the worm by email? To which account? 8. Which port (and protocol) is used by the worm to communicate to other infected machines? 9. Name 3 functionalities built in the worm to attack other networks. 10. What is the purpose of the .update.c program? Which port does it use? 11. BONUS: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

Conventions:


Analysis Method:


Tools Used:


Answers:

1. Which is the type of the .unlock file? When was it generated? Return To Index
2a. Based on the source code, who is the author of this worm? 2b. When it was created? 2c. Is it compatible with the date from question 1? Return To Index
3. Which process name is used by the worm when it is running? Return To Index
4a. In wich format the worm copies itself to the new infected machine? 4b. Which files are created in the whole process? /tmp/.unlock.uu Uuencoded version of .unlock for transport. /tmp/.unlock The whole worm in gzipped format. /tmp/.unlock.c The worm in C source format. /tmp/.update.c A backdoor program in C source format. /tmp/httpd The compiled bytecode of .unlock.c. /tmp/update The compiled bytecode of .update.c. 4c. After the worm executes itself, wich files remain on the infected machine? Return To Index
5. Which port is scanned by the worm? Return To Index
6. Which vulnerability the worm tries to exploit? In which architectures? Return To Index
7. What kind of information is sent by the worm by email? To which account? Return To Index
8. Which port (and protocol) is used by the worm to communicate to other infected machines? Return To Index
9. Name 3 functionalities built in the worm to attack other networks. Return To Index
10. What is the purpose of the .update.c program? Which port does it use? 11. BONUS: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program? Return To Index
Author: Marten King martenk at redteam dot ca