Say Cheese, there's a worm on the loose

Hot on the heels of the sadmind/IIS worm, another automated virus is on the attack.

The self-propagating worm known as Cheese has been infecting Linux servers, and even though it actually patches a security hole under Linux, it is still seen as a threat by security analysts.

The Cheese worm seeks out Linux servers open to the vulnerability exploited by the Li0n worm which was on the loose two months ago. After gaining access to the system, Cheese patches up the back door, supposedly making the system more secure. It then uses the infected server as a platform to seek out other vulnerable servers on the internet.

Because the Li0n worm listens for data on port 10008, Cheese is programmed to scan this port as well, looking for vulnerable machines.

The enormous amount of scans performed by Cheese has also made it more noticeable to admins. One administrator on the BugTraq security mailing list said: "My firewall logs went insane last night with gazillions of connection attempts to port 10008."

Graham Cluley, senior technology consultant for Sophos, said that even though the virus appears to be doing some good, it is still malware. "Administrators will want to authorise any changes to their systems, this is still modifying a machine without authorisation," he said.

"And besides that," he added, "putting patches on a machine in the wrong order can cause even more damage."

Notes included in the virus code seem to portray the virus as being benign in intention. "This code was not written with malicious intent," reads one line. It claims to have been written "to stop pesky haqz0rs messing up your box even worse than it is already".