Upon execution, this Linux worm connects to a remote machine using the UDP protocol on a specified port. UDP is a protocol that allows connections even to unstable machines, since it does not require error-checking.
This worm uses the buffer overflow vulnerability in OpenSSL 0.9.6d and earlier verions, and 0.9.7-beta2 and earlier versions. It allows remote users to execute arbitrary code via a large client master key in SSL2 or a large session ID in SSL3. This exploit appears to determine how this worm attacks a host based on the information returned by the server on itself and its version.
This worm links by providing each machine with a list of available machines. Using a technique called broadcast segmentation combined with TCP-like functionality, this worm ensures that another machine on the network receives the broadcast packet, which it then segments again. After this, it recreates the packet and sends it to other hosts.
This worm attempts to connect to Port 80. Once connected, it sends an invalid GET request to a server to identify whether the machine is an Apache system. Once it finds an Apache system, this worm attempts to connect to port 443 and sends the exploit code to the listening SSL service on the remote system.
This Linux worm arrives on the target system as a source code with the filename ".bugtraq.c". It uses a Linux shell code exploit that runs only on Intel systems. In order for the code to execute properly, it requires the presence of the shell command /bin/sh. It recompiles itself on each new system.
The binary code generated after compilation is executed with an IP address as a parameter. This IP address is the address of the attacking machine and is used to create a network of worm infected systems, which would launch the destributed denial of service attack.