This worm is a variant of ELF_SLAPPER.GEN. It launches a Distributed Denial of Service (DDoS) attack. It uses the User Data Protocol (UDP) to execute the attack, and takes advantage of buffer overflow vulnerability in OpenSSL 0.9.6d, 0.9.7-beta2 and earlier versions.
This variant has the following components (note the "." in the filenames):
- .UNLOCK.C (72,772 Bytes)
- .UPDATE.C (2,875 Bytes)
.UNLOCK.C is the worm C source code. It is very similar to the ELF_SLAPPER.GEN source code, differing only in the filename used, which is .unlock instead of .bugtraq. It also has the ability to alert the virus author by sending system information through email. The email details are as follows:
Mail server: freemail.ukr.net
Message: <HOST_I.P. and HOST_NAME>
The file .UPDATE.C is a C source code for the backdoor component of this worm. The backdoor requires a password in order to process the command. It only downloads the program passed to it by its client and uses the shell to execute it, and then exits. It listens on port number 1052 and requires the password �aion1981� before it processes the command.
Unlike ELF_SLAPPER.GEN, this variant uses the default port number 4156 instead of port 2002 to listen for commands for its DDoS operation.
The following text string can be found in this worm source code:
code by aion (firstname.lastname@example.org)