When the worm enters the system, it first creates a directory
"/dev/.lib". It then sends a copy of output of ifconfig command,
"/etc/passwd" and "/etc/shadow" to an email address in china.com. Next
the worm adds an open shell listening to port 1008 by adding an entry
to "/etc/inetd.conf" and restarting inetd daemon. Also
"/etc/hosts.deny" is removed.
At this point Lion downloads its the main part from a web server
located in China. This web server was closed at March 24th, 2001,
effectively stopping the worm. However, the worm is still able to send
password files to the china.com doman and add the open shell to port
1008.
When the main worm is downloaded, it will be extracted to
"/dev/.lib/lib" and the next part is executed. This part will start
scan random Class B subnets for vulnerable hosts. If any DNS servers
is found, the worm attempts to infect it.
There is two known variants of the worm. The first variant contains
only the worm, however, the second on installs a rootkit (backdoor) on
those systems that it is able to infect.
The rootkit installation first disables syslogd from the system and
adds two additional open shells to ports 60008 and 33567 by adding two
entries to "/etc/inetd.conf". To activate these changes, inetd daemon
is restarted.
Next a trojanized ssh daemon is created to "/usr/sbin/nscd". It is
added to "/etc/rc.d/rc.sysinit" and started so it listens port 33568.
As part of the rootkit, several system executables are replaced with
modified versions:
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find
and adds following files to the system:
/bin/in.telnetd
/bin/mjy
These binaries add more backdoors to the system and attempt to hide
rootkit's presence by hiding files and processes that are part of the rootkit.
Additionally the rootkit creates its configuration and backup data to
following directories:
/usr/man/man1/man1/lib/.lib/
/usr/man/man1/man1/lib/.lib/.backup/
/usr/src/.puta/
/usr/info/.t0rn/
