Draft:Lion worm

Lion worm
Lion worm
Original author	Unknown
Initial release	March 2001
Written in	Bash, C
Operating system	Linux
Platform	x86
Type	Computer worm, Malware

Submission declined on 7 April 2026 by Pythoncoder (talk).

This draft appears to contain text generated by a large language model (such as ChatGPT). You cannot use LLMs to generate article content.

LLM-generated pages with certain obvious signs of being machine generated may be deleted without notice.

These tools are prone to specific issues that violate our policies:

hallucinations: they often invent false information and cite non-existent references.
unencyclopedic tone: they tend to be vague, promotional, or essay-like, rather than neutral and factual.
copyright issues: they may closely paraphrase existing text, leading to copyright violations.

Instead, only summarize in your own words a range of independent, reliable, published sources that discuss the subject.

See the advice page on large language models for more information.

If you would like to continue working on the submission, click on the "Edit" tab at the top of the window.
If you have not resolved the issues listed above, your draft will be declined again and potentially deleted.
If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors.
Please do not remove reviewer comments or this notice until the submission is accepted.

Where to get help

If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews.
If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed.

How to improve a draft

Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia.
Help:Wikitext – how to use the markup
Help:Referencing for beginners – how to include references
Wikipedia:Article development – how to develop your article
Wikipedia:Writing better articles – how to improve your article
Wikipedia:Verifiability – make sure your article includes reliable third-party sources

You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article.

Improving your odds of a speedy review

To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags.

Add tags to your draft

Editor resources

Easy tools: Citation bot (help) | Advanced: Fix bare URLs

Declined by Pythoncoder 2 months ago. Last edited by Pythoncoder 2 months ago. Reviewer: Inform author.

Resubmit

Please note that if the issues are not fixed, the draft will be declined again.

Lion (also known as 1i0n) is a computer worm that spread over the Internet in early 2001, first reported by the SANS Institute on March 23, 2001.^[1] It targeted Linux machines running vulnerable versions of the BIND DNS software.^[2]

While the vulnerabilities in BIND affected multiple Unix-based operating systems,^[3] the worm code targeted Linux specifically, and more precisely Linux running on x86 processor architecture. A detection tool called lionfind, was written by William Stearns of the Dartmouth College Institute for Security Technology Studies, who also co-authored the original SANS advisory.^[4]

Media coverage

At the time of its spread, Lion received coverage in mainstream technology outlets. ITWorld and CNN both published reports on March 23, 2001, with the CNN article citing IDG as its source.^[5]^[6]

Technical analysis

A technical analysis was published by security researcher Max Butler (known online as Max Vision). He identified three versions of the worm. He also identified similarities with previous worms. Specifically with the ADM worm (1998), the Millennium worm (1999), and the Ramen worm (2001). Butler also reported having interviewed a individual claiming to be the author, though this attribution has not been independently verified.^[7]

A separate technical analysis mentions that Lion downloads a part from a web server located in China and that the worm sends password files to the china.com domain.^[8]

References

↑ "ALERT – A Dangerous New Worm Is Spreading on the Internet". LWN.net. 2001-03-23. Retrieved 2026-03-29.{{cite web}}: CS1 maint: url-status (link)
↑ Fearnow, Matt; Stearns, William. "Lion Worm". SANS Institute. Archived from the original on 2001-06-04. Retrieved 2026-03-29.
↑ "CA-2001-02: Multiple Vulnerabilities in BIND" (PDF). CERT Coordination Center. 2001-01-29. Retrieved 2026-03-29.
↑ "Lion Worm Detection Tool". Institute for Security Technology Studies, Dartmouth College. Archived from the original on 2004-06-07. Retrieved 2026-03-29.
↑ "New Linux Worm Spreading Rapidly". ITWorld. 2001-03-23. Archived from the original on 2003-12-31. Retrieved 2026-03-29.
↑ "Linux Worm Spreading Fast". CNN.com. 2001-03-23. Archived from the original on 2007-01-02. Retrieved 2026-03-29.
↑ Butler, Max (2001). "Lion Internet Worm Analysis". whitehats.com. Archived from the original on 2001-04-14. Retrieved 2026-03-29.
↑ Rautiainen, Sami (March 2021). "Lion". F-Secure.com. Archived from the original on 2001-04-14. Retrieved 2026-04-01.

[1] "ALERT – A Dangerous New Worm Is Spreading on the Internet". LWN.net. 2001-03-23. Retrieved 2026-03-29.{{cite web}}: CS1 maint: url-status (link)

[2] Fearnow, Matt; Stearns, William. "Lion Worm". SANS Institute. Archived from the original on 2001-06-04. Retrieved 2026-03-29.

[3] "CA-2001-02: Multiple Vulnerabilities in BIND" (PDF). CERT Coordination Center. 2001-01-29. Retrieved 2026-03-29.

[4] "Lion Worm Detection Tool". Institute for Security Technology Studies, Dartmouth College. Archived from the original on 2004-06-07. Retrieved 2026-03-29.

[5] "New Linux Worm Spreading Rapidly". ITWorld. 2001-03-23. Archived from the original on 2003-12-31. Retrieved 2026-03-29.

[6] "Linux Worm Spreading Fast". CNN.com. 2001-03-23. Archived from the original on 2007-01-02. Retrieved 2026-03-29.

[7] Butler, Max (2001). "Lion Internet Worm Analysis". whitehats.com. Archived from the original on 2001-04-14. Retrieved 2026-03-29.

[8] Rautiainen, Sami (March 2021). "Lion". F-Secure.com. Archived from the original on 2001-04-14. Retrieved 2026-04-01.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Draft:Lion worm

Contents

Media coverage

Technical analysis

See also

References