Content

Linux/Lupper.worm.b

Type
Virus
SubType
Internet Worm
Discovery Date
11/09/2005
Length
Varies
Minimum DAT
4624 (11/09/2005)
Updated DAT
5084 (07/26/2007)
Minimum Engine
5.1.00
Description Added
11/09/2005
Description Modified
02/25/2006 10:41 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update February 21, 2006 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
 http://www.heise.de/english/newsticker/news/69878


-- February 20, 2006 --
 Recent download scripts used by Linux/Lupper.worm.b in the wild were found to be downloading several BackDoor and Bot trojans. These trojans are being detected as Linux/Rst.b, Perl/Shellbot , and Perl/BackDoor-CXZ.gen .

It is important to note that as Linux/Lupper.worm.b downloads a fresh list of files on each intrusion, new trojans and malware may be introduced into the victim machine over time. Web servers should be configured to restrict shell access and remote file download via the PHP scripting engine. This trend is being monitored by AVERT.

At the time of writing, It may download and create the following file(s) -- filenames may vary as the download script is hosted on a remote server:

  • /tmp/.temp/ping.txt (Perl/Backdoor-CXZ.gen )
  • /tmp/.temp/https (Perl/Shellbot )
  • /tmp/.temp/httpd (Linux/Lupper.worm.b )
  • /tmp/.temp/cb (Linux/Rst.b )
  • /tmp/supina (download script detected as Generic Downloader.ax )

-- February 17, 2006 --

A recent version of this variant was discovered in the wild. It was found to have exploited an additional vulnerability.

It may target the following URLs:

  • http://[website]/cvs/
  • http://[website]/articles/mambo/
  • http://[website]/cvs/mambo/

At the time of writing, the worm downloads a copy of itself and Linux/DDoS-Kaiten onto the target victim machine.

This is a worm that spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. Like its other variant , Linux/Lupper.worm.b attacks web servers by sending malicious http requests on port 80. When successful, a copy of the worm can be downloaded and executed on the comprised web server with the privileges of the web server user - usually the "nobody" or "apache" user.

This variant sequetially scans the Class C subnets of randomly selected Class B IP segments.

When executed, the worm can accept remote commands and version updates. It may also be used to relay commands to other peers.


-- February 20, 2006 --
 Recent download scripts used by Linux/Lupper.worm.b in the wild were found to be downloading several BackDoor and Bot trojans. These trojans are being detected as Linux/Rst.b, Perl/Shellbot , and Perl/BackDoor-CXZ.gen .

It is important to note that as Linux/Lupper.worm.b downloads a fresh list of files on each intrusion, new trojans and malware may be introduced into the victim machine over time. Web servers should be configured to restrict shell access and remote file download via the PHP scripting engine. This trend is being monitored by AVERT.

At the time of writing, It may download and create the following file(s) -- filenames may vary as the download script is hosted on a remote server:

  • /tmp/.temp/ping.txt (Perl/Backdoor-CXZ.gen )
  • /tmp/.temp/https (Perl/Shellbot )
  • /tmp/.temp/httpd (Linux/Lupper.worm.b )
  • /tmp/.temp/cb (Linux/Rst.b )
  • /tmp/supina (download script detected as Generic Downloader.ax )

-- February 17, 2006 --

A recent version of this variant was discovered in the wild. It was found to have exploited an additional vulnerability.

It may target the following URLs:

  • http://[website]/cvs/
  • http://[website]/articles/mambo/
  • http://[website]/cvs/mambo/

At the time of writing, the worm downloads a copy of itself and Linux/DDoS-Kaiten onto the target victim machine.

This is a worm that spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. Like its other variant , Linux/Lupper.worm.b attacks web servers by sending malicious http requests on port 80. When successful, a copy of the worm can be downloaded and executed on the comprised web server with the privileges of the web server user - usually the "nobody" or "apache" user.

This variant sequetially scans the Class C subnets of randomly selected Class B IP segments.

When executed, the worm can accept remote commands and version updates. It may also be used to relay commands to other peers.


-- February 20, 2006 --
 Recent download scripts used by Linux/Lupper.worm.b in the wild were found to be downloading several BackDoor and Bot trojans. These trojans are being detected as Linux/Rst.b, Perl/Shellbot , and Perl/BackDoor-CXZ.gen .

It is important to note that as Linux/Lupper.worm.b downloads a fresh list of files on each intrusion, new trojans and malware may be introduced into the victim machine over time. Web servers should be configured to restrict shell access and remote file download via the PHP scripting engine. This trend is being monitored by AVERT.

At the time of writing, It may download and create the following file(s) -- filenames may vary as the download script is hosted on a remote server:

  • /tmp/.temp/ping.txt (Perl/Backdoor-CXZ.gen )
  • /tmp/.temp/https (Perl/Shellbot )
  • /tmp/.temp/httpd (Linux/Lupper.worm.b )
  • /tmp/.temp/cb (Linux/Rst.b )
  • /tmp/supina (download script detected as Generic Downloader.bc )

-- February 17, 2006 --

A recent version of this variant was discovered in the wild. It was found to have exploited an additional vulnerability.

It may target the following URLs:

  • http://[website]/cvs/
  • http://[website]/articles/mambo/
  • http://[website]/cvs/mambo/

At the time of writing, the worm downloads a copy of itself and Linux/DDoS-Kaiten onto the target victim machine.

This is a worm that spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. Like its other variant , Linux/Lupper.worm.b attacks web servers by sending malicious http requests on port 80. When successful, a copy of the worm can be downloaded and executed on the comprised web server with the privileges of the web server user - usually the "nobody" or "apache" user.

This variant sequetially scans the Class C subnets of randomly selected Class B IP segments.

When executed, the worm can accept remote commands and version updates. It may also be used to relay commands to other peers.

Symptoms

Presence of one or more of the following files:

  • /tmp/listen
  • /tmp/update.listen
  • /tmp/listen.log
  • /tmp/derfiq
  • /tmp/gicumz (download script)
  • /tmp/session (Linux/DDoS-Kaiten )

The following port is listening:

  • UDP 27015

Outgoing packets destinated for:

  • UDP 25555

Significant increase in CPU utilization and new outgoing connections (SYN) on TCP port 80.

Method of Infection

This variant spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:

  • http://[website]/xmlrpc/xmlrpc.php
  • http://[website]/wordpress/xmlrpc.php
  • http://[website]/phpgroupware/xmlrpc.php
  • http://[website]/drupal/xmlrpc.php
  • http://[website]/blogs/xmlsrv/xmlrpc.php
  • http://[website]/blog/xmlsrv/xmlrpc.php
  • http://[website]/blog/xmlrpc.php
  • http://[website]/cgi-bin/awstats/
  • http://[website]/cgi-bin/

These URLs are related to the " XML-RPC for PHP parseRequest() Function Arbitrary PHP Code Execution " (CVE-2005-1921) and " AWStats CONFIGDIR Parameter Arbitrary Command Execution " (CVE-2005-0116) vulnerabilities.

Users of these products are advised to contact the respective vendors for the updated patch information.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • ELF_MARE.C (TrendMicro)
  • Linux.Plupii.C (Symantec)

Characteristics

Characteristics -

-- Update February 21, 2006 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
 http://www.heise.de/english/newsticker/news/69878


-- February 20, 2006 --
 Recent download scripts used by Linux/Lupper.worm.b in the wild were found to be downloading several BackDoor and Bot trojans. These trojans are being detected as Linux/Rst.b, Perl/Shellbot , and Perl/BackDoor-CXZ.gen .

It is important to note that as Linux/Lupper.worm.b downloads a fresh list of files on each intrusion, new trojans and malware may be introduced into the victim machine over time. Web servers should be configured to restrict shell access and remote file download via the PHP scripting engine. This trend is being monitored by AVERT.

At the time of writing, It may download and create the following file(s) -- filenames may vary as the download script is hosted on a remote server:

  • /tmp/.temp/ping.txt (Perl/Backdoor-CXZ.gen )
  • /tmp/.temp/https (Perl/Shellbot )
  • /tmp/.temp/httpd (Linux/Lupper.worm.b )
  • /tmp/.temp/cb (Linux/Rst.b )
  • /tmp/supina (download script detected as Generic Downloader.ax )

-- February 17, 2006 --

A recent version of this variant was discovered in the wild. It was found to have exploited an additional vulnerability.

It may target the following URLs:

  • http://[website]/cvs/
  • http://[website]/articles/mambo/
  • http://[website]/cvs/mambo/

At the time of writing, the worm downloads a copy of itself and Linux/DDoS-Kaiten onto the target victim machine.

This is a worm that spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. Like its other variant , Linux/Lupper.worm.b attacks web servers by sending malicious http requests on port 80. When successful, a copy of the worm can be downloaded and executed on the comprised web server with the privileges of the web server user - usually the "nobody" or "apache" user.

This variant sequetially scans the Class C subnets of randomly selected Class B IP segments.

When executed, the worm can accept remote commands and version updates. It may also be used to relay commands to other peers.


-- February 20, 2006 --
 Recent download scripts used by Linux/Lupper.worm.b in the wild were found to be downloading several BackDoor and Bot trojans. These trojans are being detected as Linux/Rst.b, Perl/Shellbot , and Perl/BackDoor-CXZ.gen .

It is important to note that as Linux/Lupper.worm.b downloads a fresh list of files on each intrusion, new trojans and malware may be introduced into the victim machine over time. Web servers should be configured to restrict shell access and remote file download via the PHP scripting engine. This trend is being monitored by AVERT.

At the time of writing, It may download and create the following file(s) -- filenames may vary as the download script is hosted on a remote server:

  • /tmp/.temp/ping.txt (Perl/Backdoor-CXZ.gen )
  • /tmp/.temp/https (Perl/Shellbot )
  • /tmp/.temp/httpd (Linux/Lupper.worm.b )
  • /tmp/.temp/cb (Linux/Rst.b )
  • /tmp/supina (download script detected as Generic Downloader.ax )

-- February 17, 2006 --

A recent version of this variant was discovered in the wild. It was found to have exploited an additional vulnerability.

It may target the following URLs:

  • http://[website]/cvs/
  • http://[website]/articles/mambo/
  • http://[website]/cvs/mambo/

At the time of writing, the worm downloads a copy of itself and Linux/DDoS-Kaiten onto the target victim machine.

This is a worm that spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. Like its other variant , Linux/Lupper.worm.b attacks web servers by sending malicious http requests on port 80. When successful, a copy of the worm can be downloaded and executed on the comprised web server with the privileges of the web server user - usually the "nobody" or "apache" user.

This variant sequetially scans the Class C subnets of randomly selected Class B IP segments.

When executed, the worm can accept remote commands and version updates. It may also be used to relay commands to other peers.


-- February 20, 2006 --
 Recent download scripts used by Linux/Lupper.worm.b in the wild were found to be downloading several BackDoor and Bot trojans. These trojans are being detected as Linux/Rst.b, Perl/Shellbot , and Perl/BackDoor-CXZ.gen .

It is important to note that as Linux/Lupper.worm.b downloads a fresh list of files on each intrusion, new trojans and malware may be introduced into the victim machine over time. Web servers should be configured to restrict shell access and remote file download via the PHP scripting engine. This trend is being monitored by AVERT.

At the time of writing, It may download and create the following file(s) -- filenames may vary as the download script is hosted on a remote server:

  • /tmp/.temp/ping.txt (Perl/Backdoor-CXZ.gen )
  • /tmp/.temp/https (Perl/Shellbot )
  • /tmp/.temp/httpd (Linux/Lupper.worm.b )
  • /tmp/.temp/cb (Linux/Rst.b )
  • /tmp/supina (download script detected as Generic Downloader.bc )

-- February 17, 2006 --

A recent version of this variant was discovered in the wild. It was found to have exploited an additional vulnerability.

It may target the following URLs:

  • http://[website]/cvs/
  • http://[website]/articles/mambo/
  • http://[website]/cvs/mambo/

At the time of writing, the worm downloads a copy of itself and Linux/DDoS-Kaiten onto the target victim machine.

This is a worm that spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. Like its other variant , Linux/Lupper.worm.b attacks web servers by sending malicious http requests on port 80. When successful, a copy of the worm can be downloaded and executed on the comprised web server with the privileges of the web server user - usually the "nobody" or "apache" user.

This variant sequetially scans the Class C subnets of randomly selected Class B IP segments.

When executed, the worm can accept remote commands and version updates. It may also be used to relay commands to other peers.

Symptoms

Symptoms -

Presence of one or more of the following files:

  • /tmp/listen
  • /tmp/update.listen
  • /tmp/listen.log
  • /tmp/derfiq
  • /tmp/gicumz (download script)
  • /tmp/session (Linux/DDoS-Kaiten )

The following port is listening:

  • UDP 27015

Outgoing packets destinated for:

  • UDP 25555

Significant increase in CPU utilization and new outgoing connections (SYN) on TCP port 80.

Method of Infection

Method of Infection -

This variant spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:

  • http://[website]/xmlrpc/xmlrpc.php
  • http://[website]/wordpress/xmlrpc.php
  • http://[website]/phpgroupware/xmlrpc.php
  • http://[website]/drupal/xmlrpc.php
  • http://[website]/blogs/xmlsrv/xmlrpc.php
  • http://[website]/blog/xmlsrv/xmlrpc.php
  • http://[website]/blog/xmlrpc.php
  • http://[website]/cgi-bin/awstats/
  • http://[website]/cgi-bin/

These URLs are related to the " XML-RPC for PHP parseRequest() Function Arbitrary PHP Code Execution " (CVE-2005-1921) and " AWStats CONFIGDIR Parameter Arbitrary Command Execution " (CVE-2005-0116) vulnerabilities.

Users of these products are advised to contact the respective vendors for the updated patch information.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A