Skip navigation
Skip navigation

Cambridge, UK, January 19, 2001 - Kaspersky Lab, an international
data-security software-development company, reports the discovery of a new
Internet-worm that attacks computers with Red Hat Linux operating system

As it was emphasised in the latest virus advisory regarding the "Davinia"
worm dated January 16th, it is one of the modern trends in malicious code
development that virus writers often use known breaches in security
systems of different platforms and applications. The recently detected
"Ramen" worm is yet another confirmation of this trend. But this time the
victim is the Linux operating system, which is considered to be one of the
most protected platforms available today.

To penetrate computers that have Red Hat Linux 6.2 or 7.0 installed,
"Ramen" exploits three security breaches named "in.ftpd", "rpc.statd" and
"LPRng", which were detected and closed, in June-September 2000. All of
these breaches are from the "Buffer Overflow" category and allow a
malicious person to send a remote system an executable code and run it
without the user's permission.
The way the worm works is rather sophisticated. Firstly, a target computer
receives data that overflows the system's internal buffer, so a worm code
gains the root privileges and starts the command processor that executes
the worm's instructions. Then "Ramen" creates the "/usr/src/.poop" folder,
launches the "lynx" Internet browser and downloads there, the worm's
archive "RAMEN.TGZ" from a remote computer. After this, "Ramen" opens the
archive and executes its main file "START.SH".
The worm has no additional payload except for changing the content of
"INDEX.HTML" files found on the system. When the affected HTML-files are
run they display the following message:

RameN Crew

Hackers loooooo00000000000ve noodles.

"It is important to emphasize that the breaches exploited by the "Ramen"
worm are also found on other Linux distributes, such as: Caldera
OpenLinux, Connectiva Linux, Debian Linux, HP-UX, Slackware Linux and
other. This particular worm is triggered to activate only on systems
running Red Hat Linux. However, it is probable that in the future other
modifications of "Ramen" will successfully operate on other Linux
platforms." Said Denis Zenkin, Head of Corporate Communications for
Kaspersky Lab. "Therefore we recommend users to immediately install
patches for these breaches regardless of the Linux distribute you use".

More details about the "Ramen" can be found in the Kaspersky's Virus
Encyclopedia at

Up until now Kaspersky Lab has received no reports of this worm to be
found "in-the-wild". Although we recommend users to download the daily
update for Kaspersky Anti-Virus (AVP) database, that contains protection
against the "Ramen" worm.

Kaspersky Anti-Virus can be purchased in Kaspersky Lab online store.

Notes to Editors

Screenshot of display message available, please contact Sara Claridge 0118
9755188 or email

About Kaspersky Lab

Kaspersky Lab Ltd. is a fast growing international privately owned
data-security software-development company with offices in Moscow
(Russia), Cambridge (UK) and Walnut Creek (United States). Founded in
1997, the company concentrates its efforts on the development of
world-leading anti-virus technologies and software. Kaspersky Lab also
provides free online security related Internet information services. The
company markets, distributes and supports its software and services in
more than 40 countries worldwide.

Media Contacts

Denis Zenkin

Kaspersky Lab, Ltd.

Phone: +7 (095) 797 87 00



Sara Claridge

Marylebone Media Relations

Phone +44 118 975 5188


This press release was distributed by ResponseSource Press Release Wire on behalf of Marylebone Media Relations in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit