spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 25

This month's challenge is to analyze the source code of a worm captured by a Honeynet. All submissions are due no later then 23:00 GMT, Friday, November 29th. Results will be released Friday, December 06. Note, there will be no new SotM challenge for December or January. The next challenge will be February, 2003.

Skill Level: Advanced

The Challenge:
Members from the Honeynet.BR team have captured a new worm from the wild. The file (.unlock), was used by the worm to infect the honeypot. Your mission is to analyze the captured file in order to answer the questions below. Be sure you review the submission rules at the SotM challenge page before submitting your results.

Download the Binary
Note: The MD5 and SHA1 checksums are shown below.

MD5  (.unlock) = a03b5be9264651ab30f2223592befb42
SHA1 (.unlock) = 4b018cdfdbcf71ddaa789e8ecc9ed7700660021a


  1. Which is the type of the .unlock file? When was it generated?
  2. Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?
  3. Which process name is used by the worm when it is running?
  4. In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?
  5. Which port is scanned by the worm?
  6. Which vulnerability the worm tries to exploit? In which architectures?
  7. What kind of information is sent by the worm by email? To which account?
  8. Which port (and protocol) is used by the worm to communicate to other infected machines?
  9. Name 3 functionalities built in the worm to attack other networks.
  10. What is the purpose of the .update.c program? Which port does it use?

  11. Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

The Results:
This months challenge questions, judging and team writeup are done by the Honeynet.BR team.

Writeup from Cristine Hoepers and Klaus Steding-Jessen from The Honeynet.BR Team

Writeup from the Security Community

This month we received 41 submissions. The top 30 submissions are listed here. We would like to thank the people who have submitted their writeups for the time and effort dedicated to this challenge.

Top 5 Entries:

Remaining Top 10 Entries

Remaining Entries

Back to Top