Cheese is an internet worm on Linux systems that replicates between systems that were previously hacked by the "Ramen" Linux worm, and not the "Lion" or "Adore" worms as it is stated in other various descriptions, or the worm itself. (see the text below). Cheese will also act as a security patch that removes the backdoors added by previous attacks, but it will not remove or patch the vulnerabilities used to hack the respective systems; thus, the machines will still remain vulnerable to the original attack(s) used to compromise them. The worm contains the following text:

> # removes rootshells running from /etc/inetd.conf
> # after a l10n infection... (to stop pesky haqz0rs
> # messing up your box even worse than it is already)
< # This code was not written with malicious intent.
< # Infact, it was written to try and do some good. No matter how good the original intention of the author was, "Cheese" remains a piece of replicative "malware" that eats up resources such as CPU, memory, disk space or Internet bandwidth from infected systems; thus, remaining a "bad thing".


The worm consists of three program files named "cheese", "go" and "psm". "go" is the worm's "entrypoint", that basically executes the main worm body, "cheese", in such a way that makes it immune to signals, which might attempt to halt it. "cheese", a 2KB long Perl script, is the main part of the worm, the one responsible for the replication.

When run, it will first scan "/etc/inetd.conf" for services attempting to execute "/bin/sh", mostly root-shell backdoors, and remove them. Obviously, if a root shell has been added to the newer-style "/etc/xinetd.conf", the worm will not notice it, and leave it untouched.

Next, it will generate a random 16-bit IP base, such as "a" and "b" in the "a.b.x.y", then it will use an external Linux ELF program to scan the respective Internet IP class for hosts listening on port 10008. Usually, these are hosts that have been previously hacked by the "Ramen" worm, hosts that run an open root shell on the respective port. So, when such a host is found, the worm will execute a small installation script on the remote host that will create a directory named "/tmp/.cheese", and it will launch an instance of the popular Lynx browser to download a copy of the worm from the infected system. The worm itself will listen for the connection attempt on the source system, and forward an UUE-encoded copy of itself to the remote caller. The installation script running on the target system will decode the worm body, unpack it in the "/tmp/.cheese" directory, and eventually execute the "go" script to launch the worm, which propagates the infection further.


Net-Worm.Linux.cheese (Kaspersky Lab) is also known as:

  • Worm.Linux.Cheese (Kaspersky Lab)
  • Worm.Cheese (Kaspersky Lab)
  • Virus: Linux/Cheese.worm (McAfee)
  • Linux/Cheese (Sophos)
  • Worm Generic (Panda)
  • Unix/Cheese (FPROT)
  • Worm:Linux/Cheese [non_writable_container] (MS(OneCare))
  • Worm:Linux/Cheese (MS(OneCare))
  • Linux.Cheese (Dr. Web)
  • Linux/Cheese worm (ESET NOD32)
  • Worm.Linux.Cheese (BitDefender)
  • ELF:Malware-gen (Avast)
  • Net-Worm.Linux.cheese (Ikarus)
  • Linux/Cheese.B (AVG)
  • LINUX/Cheese.PSM (Avira)
  • Net-Worm.Linux.cheese <<< LINUX/Cheese.PSM (Avira)
  • Linux.Cheese.Worm (NAV)
  • Linux/Cheese (Norman)
  • Linux/Cheese.worm (NAI)
  • Worm.Linux.Cheese.a (Rising)
  • ELF_CHEESE.A (TrendMicro)