JBoss - CVE-2010-0738 - "kisses" worm removal

Resolution

Aside of upgrading to a non affected version you can easily configure your existing install to stop this attack.

Stop de JBoss server.
Edit the file: "$JBOSS_HOME/server/&PROFILE/deploy/jmx-console.war/WEB-INF/web.xml"

remove these two lines from the security constraints - this will make sure that all methods are secure:

<http-method>GET</http-method>
<http-method>POST</http-method>
~~

Remove the actual worm:

cd $JBOSS_HOME/server/&PROFILE/deploy
rm -rf zGiruLqk.war UIcAPtyd.war siPmbGje.war cCnbiguv.war

cd $JBOSS_HOME/server/&PROFILE/deploy/management
rm -rf iesvc.war zecmd.war WuPCvwTH.war iesvc.war idssvc.war fXWrkyBQ.war foo2.war

Note that the above list might not be exhaustive nor that your system will actually have some of them.
The names seem to be more or less random.

When in doubt, open the war files: the virus one contains one jsp file with a random name.

Remove the payload:  

find / -iname kisses.tar.gz -type f | xargs rm -f
find / -iname kisses -type d | xargs rm -rf
~~~

If not already done as per the installation docs, don't forget to make your jmx console secure; please follow this article