This worm only affected Red Hat’s Linux servers and not Microsoft’s operating systems, computer security company Symantec said. The worm apparently hits sites running Red Hat Linux and then spreads by locating on similar servers running the same operating system. In particular, it is actually a collection of Linux scripts and utilities that arrive on the infected system in a file called Ramen.tgz.
The worm begins by executing a shell script called start.sh. This script calls a random number generator, which generates IP addresses (class B subnet) and then tries to copy itself to one of the addresses in that IP range, if it locates there a server running Linux Red Hat 6.2 or 7.0.
The worm is capable of scanning the Internet very quickly (more than 100,000 IP addresses in less than 15 minutes) in search of servers to infect. It uses huge amounts of bandwidth to do this scan. Despite this, it spreads very quickly. On Red Hat 6.2 computers, the worm exploited vulnerabilities in the rpc.statd or wuftpd service.
Once in it, the worm copies itself to the tar.gz file. This package can be downloaded from the HTTP server on port 27374 which was created by the same virus, then the worm extracts the contents of this package into a temporary directory on the attacked computer and executes the start.sh file, activating the worm on the new machine.
Finally, the Trojan sends an email message to two anonymous accounts on Yahoo! and Hotmail, or based on the affected server itself, which it then restarts, starting the Internet scan again. The message contains the IP address of the attacked machine.
