This was spotted on our real-time honeypot systems 
(running Apache 1.3.24, of course)

bash-2.05a$ ls -la /tmp
total 128
drwxrwxrwt   3 root    wheel    512 Jun 28 14:02 .
-rwxr-xr-x   1 nobody  wheel  51626 Jun 28 08:25 .a
-rw-r--r--   1 nobody  wheel  70563 Jun 28 08:25 .uua

New: source-code for apache-worm.c

.a:   ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), 
	dynamically linked (uses shared libs), not stripped
.uua: uuencoded or xxencoded text


Notes:

I ran transparent web server (serving whole Net for the honeypot), so I could
be able to get requests the agent builds.

During runtime it sends an UDP packet (helo) to it's 'base' address. 

It accepts commands on udp port 2001, that also allow flooding specified targets
(is DDoS agent).

At first it connects to 80 port and sends simple HTTP request. 
If it succeeds and gets vulnerable string (Apache?) then it does another
attack, which clearly shows what is exploited (chunks). This is enough for a signature? :) 


References:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1492768+0+current/freebsd-security
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1494815+0+current/freebsd-security


--
Domas Mituzas
Central Systems
MicroLink Data

or just... dammit