Worm.Linux.Mare.D

SYMPTOMS:

Presence of file “listen.log” in the same directory with the virus.
Port 27015 on UDP is opened.
Increase of CPU usage due to the  many outgoing TCP connections on port 80.

TECHNICAL DESCRIPTION:

This worm is compiled with gcc. The virus scans for port 80 on random IP addresses. If one of these computers has a XML-RPC for PHP Remote Code Injection vulnerability (Bugtraq ID 14088 , http://mamboserver.com/ ), the worm sends several commands to the victim computer (that download the worm using wget).

 
Once a computer is infected , the worm send a notification message (via UDP) on attacker server , port 25555.  The worm opens 500 TCP conections at once while scanning for vulnerability on hosts. This increses CPU usage (many syncronize conections (SYN) can be seen using "netstat" linux application).

The worm also tries to download itself on victim computer (using php/xml vulnerabilities) from the following address http://209.123.16.34/ .

Removal instructions:

a)      Please let BitDefender disinfect your files.

or

b)      Kill virus process and delete its file from the disk.

 

ANALYZED BY:

Gavrilut Dragos, Virus Researcher, and Ciorceri Sorin, Virus Researcher