From Sans.org:
http://www.sans.org/y2k/ramen.htm

Ramen Worm  
William Stearns has written a script to detect the Ramen worm. He can be reached at wstearns@pobox.com. This is version 0.4 updated 02/15/2001. 

Updates in version 4 
Ramenfind now handles a new ramen variant, which: 
creates /usr/sbin/update, which kills off the trojan lpd and restarts it. 
doesn't remove index.html's (no changes needed to Ramenfind). 
adds a new crontab entry: run update every minute of the first day of the month. 
adds a new crontab entry: nuke synscan every minute of 1am. 
mails /etc/shadow off to "chicha" and "libero" accounts and wipe entries from maillog. 
runs "2", which appears to mail off notices to two email accounts (at least one of which has been disabled; no word on the other). 
runs /usr/bin/lpd on future boots from rc.sysinit. 
moves netstat to /usr/lib/ldlibns.so . 
replaces netstat with a wrapper c app that discards certain lines:

                "/usr/lib/ldlibns.so {parameters} | grep -v ftp | \
                grep -v 28593 | grep -v 212.102 | grep -v b92 | \
                grep -v 147.91 | grep -v grep | grep -v ldlibns | \
                grep -v -- -i"

moves ps to /usr/lib/ldlibps.so . 
replaces ps with a wrapper c app that discards certain lines:

                "/usr/lib/ldlibps.so {parameters} | grep -v tail | \
                grep -v ipsc | grep -v synscan | grep -v .sh | \
                grep -v grep | grep -v ldlibps | grep -v -- -i"

moves /bin/login to /usr/lib/ldliblogin.so and replaces it with a trojan. 
copies "td" to /usr/bin/lpd (normal path is /usr/sbin/lpd) and runs it. td is a Stacheldracht agent. 
makes minor changes to scan.sh (no changes needed to Ramenfind). 
Handle issues of using ps in Ramenfind when ps may have been trojanized. 
Goals of the tool 
It should be a shell script so it can be run from a single floppy linux if the user chooses. 
It should use standard utilities on a Redhat Linux system. 
It should allow for either detection or detection and removal of the worm. By default, it should only detect and perform no action. 
It should run as a non-root user, invoking sudo as necessary. 
The user should be given the chance to confirm each command before it is run. 
The script should provide an option to archive the ramen files for later analysis. 
It should check for needed support utilities. 
You can download the source file from here ramenfind.v0.4.gz 

Description of Ramen Worm
A self propagating Linux worm called Ramen has been reported. This worm is known to infect Red Hat 6.2 and 7.0 machines. It infects the machines with vulnerabilities in wu-ftp, rpc.statd, and LPRng services. This worm has the ability to infect other Linux and Unix machines via a vulnerable wu-ftp version, rpc.statd and LPRng. This worm can also be easily modified since it leaves the source code on the machine. GIAC has received several reports of this worm infecting machines, and the network traffic that it creates.

The worm uses a tool called synscan which has been modified to fit its needs. Using this tool, the worm contacts a randomly generated IP address and checks the FTP banner to determine if the machine is running Red Hat Linux 6.2 or Red Hat Linux 7.0. For machines running Red Hat 6.2, the worm will attempt to exploit a vulnerable rpc.statd or wuftpd service. For Red Hat 7.0, the worm tries to exploit an LPRng bug to gain access to the system.

Once the machine is infected, Ramen establishes a http server on port 27374 to serve out copies of itself. It then fixes the exploit on the machine, so that others cannot reinfect it. On RedHat 6.2 rpc.statd is removed; on RedHat 7.0 lpd is removed. Also, the users "ftp" and "anonymous" are added to /etc/ftpusers to close the wu-ftpd hole.

Removal of Ramen

(This is from ISS, I have not personally installed the worm)

1. Delete: /usr/src/.poop and /sbin/asp.
2. If it exists, remove: /etc/xinetd.d/asp
3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any file in /etc/src/.poop.
4. Remove any lines in /etc/inetd.conf referring to /sbin/asp
5. Reboot the system or manually kill any processes such as synscan, start.sh, scan.sh, hackl.sh, or hackw.sh.
6. ISS recommends that ftp, rpc.statd, or lpr are not enabled until updates have been installed.


Install these patches
LPRng RH 7.0
http://www.redhat.com/support/errata/RHSA-2000-065-06.html

wu-ftpd RH 6.2
http://www.redhat.com/support/errata/RHSA-2000-039-02.html

Further information can be found at:
http://www.sans.org/current.htm
http://service1.symantec.com/sarc/sarc.nsf/html/Linux.Ramen.Worm.html
http://xforce.iss.net/alerts/advise71.php 

William is an Open-Source developer, enthusiast, and advocate from Vermont, USA. His day job at the Institute for Security Technology Studies at Dartmouth College pays him to work on network security and Linux projects.