My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Linux.Worm.Slapper.B/C

MEDIUM
MEDIUM
N/A
(Linux.Slapper.Worm)

Symptoms

- File /tmp/.cinik, /tmp/.cinik.c, /tmp/.cinik.go (variant B);
- File /tmp/.unlock.c, /tmp/httpd, /tmp/.update.c, /tmp/update;
- directory /tmp/.font-unix/.cinik (variant B);
- Message  "foo" …

Removal instructions:

If you don't have BitDefender for Linux installed click here to download an evaluation version.



1. Make sure that you have the latest updates using the bdc --update or the manual update for this product


2. Terminate the virus process using the killall -9 process_name or by restarting the computer.


3. Use BitDefender for Linux with the following parameters in the command line:
bdc --all --delete --list /tmp


4. Updated the version of the Apache server to eliminate the vulnerability

Analyzed By

Costin Ionescu BitDefender Virus Researcher

Technical Description:

These are 2 variants of Linux.Worm.Slapper.A. They use the same exploit and the changes are minor. The file names are different from first variant as specified in the Symptoms section. Another change is the port of the backdoor component of the virus:
- 1978 - variant B
- 4156 - variant C

The B variant sends a notification mail-message to address cinik_worm@yahoo.com with the IP and some other informations of the infected host. Some comments in the virus source (.cinik.c) are written in Romanian. If the virus fails to download the source code on the victim, it will try to download it from a Romanian site.

The C variant contains another backdoor (.update.c and update) which connects on the port 1052. To be used, the backdoor requires a password to be given. Also the virus sends a notification to aion@ukr.net.

In conclusion, analyzing the source codes, these variants were modified by a 24 years old Romanian (variant B) and a 21 years old Ukrainean (variant C).