McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
This worm, reported on November 6, 2005, was formerly detected as Linux/Lupper.worm. This variant spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. It is a modified derivative of the Linux/Slapper
and BSD/Scalper
worms from which it inherits the propagation strategy. It scans an entire class B subnet created by randomly choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.
The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.
Like its precedents, the infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. It is also capable of harvesting email addresses stored in files on the web server.
Symptoms
Presence of the following file:
One of the following ports are listening:
Method of Infection
This worm spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:
- http://[website]/cgi-bin/
- http://[website]/scgi-bin/
- http://[website]/cgi-bin/awstats/
- http://[website]/scgi-bin/awstats/
- http://[website]/cgi/awstats/
- http://[website]/scgi/awstats/
- http://[website]/scripts/
- http://[website]/cgi-bin/stats/
- http://[website]/scgi-bin/stats/
- http://[website]/stats/
- http://[website]/xmlrpc.php
- http://[website]/xmlrpc/xmlrpc.php
- http://[website]/xmlsrv/xmlrpc.php
- http://[website]/blog/xmlrpc.php
- http://[website]/drupal/xmlrpc.php
- http://[website]/community/xmlrpc.php
- http://[website]/blogs/xmlrpc.php
- http://[website]/blogs/xmlsrv/xmlrpc.php
- http://[website]/blog/xmlsrv/xmlrpc.php
- http://[website]/blogtest/xmlsrv/xmlrpc.php
- http://[website]/b2/xmlsrv/xmlrpc.php
- http://[website]/b2evo/xmlsrv/xmlrpc.php
- http://[website]/wordpress/xmlrpc.php
- http://[website]/phpgroupware/xmlrpc.php
- http://[website]/cgi-bin/includer.cgi
- http://[website]/sgi-cgi/includer.cgi
- http://[website]/includer/cgi
- http://[website]/cgi-bin/include/includer.cgi
- http://[website]/scgi-bin/include/includer.cgi
- http://[website]/cgi-bin/inc/includer.cgi
- http://[website]/scgi-bin/inc/includer.cgi
- http://[website]/cgi-local/includer.cgi
- http://[website]/scgi-local/includer.cgi
- http://[website]/cgi/includer.cgi
- http://[website]/scgi/includer.cgi
- http://[website]/hints.pl
- http://[website]/cgi/hints.pl
- http://[website]/scgi/hints.pl
- http://[website]/cgi-bin/hints.pl
- http://[website]/scgi-bin/hints.pl
- http://[website]/hints/hints.pl
- http://[website]/cgi-bin/webhints/hints.pl
- http://[website]/scgi-bin/webhints/hints.pl
- http://[website]/hints.cgi
- http://[website]http://[website]/cgi/hints.cgi
- http://[website]/scgi/hints.cgi
- http://[website]/cgi-bin/hints.cgi
- http://[website]/scgi-bin/hints.cgi
- http://[website]/hints/hints.cgi
- http://[website]/cgi-bin/hints/hints.cgi
- http://[website]/scgi-bin/hints/hints.cgi
- http://[website]/webhints/hints.cgi
- http://[website]/cgi-bin/webhints/hints.cgi
- http://[website]/scgi-bin/webhints/hints.cgi
These URLs are related to these vulnerabilities:
- XML-RPC for PHP parseRequest() Function Arbitrary PHP Code Execution
(CVE-2005-1921)
- AWStats CONFIGDIR Parameter Arbitrary Command Execution
(CVE-2005-0116)
- WebHints Shell Command Injection Vulnerability
(CVE ID 2005-1950)
Users of these products are advised to contact the respective vendors for the updated patch information.
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This worm, reported on November 6, 2005, was formerly detected as Linux/Lupper.worm. This variant spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. It is a modified derivative of the Linux/Slapper
and BSD/Scalper
worms from which it inherits the propagation strategy. It scans an entire class B subnet created by randomly choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.
The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.
Like its precedents, the infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. It is also capable of harvesting email addresses stored in files on the web server.
Symptoms
Symptoms -
Presence of the following file:
One of the following ports are listening:
Method of Infection
Method of Infection -
This worm spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:
- http://[website]/cgi-bin/
- http://[website]/scgi-bin/
- http://[website]/cgi-bin/awstats/
- http://[website]/scgi-bin/awstats/
- http://[website]/cgi/awstats/
- http://[website]/scgi/awstats/
- http://[website]/scripts/
- http://[website]/cgi-bin/stats/
- http://[website]/scgi-bin/stats/
- http://[website]/stats/
- http://[website]/xmlrpc.php
- http://[website]/xmlrpc/xmlrpc.php
- http://[website]/xmlsrv/xmlrpc.php
- http://[website]/blog/xmlrpc.php
- http://[website]/drupal/xmlrpc.php
- http://[website]/community/xmlrpc.php
- http://[website]/blogs/xmlrpc.php
- http://[website]/blogs/xmlsrv/xmlrpc.php
- http://[website]/blog/xmlsrv/xmlrpc.php
- http://[website]/blogtest/xmlsrv/xmlrpc.php
- http://[website]/b2/xmlsrv/xmlrpc.php
- http://[website]/b2evo/xmlsrv/xmlrpc.php
- http://[website]/wordpress/xmlrpc.php
- http://[website]/phpgroupware/xmlrpc.php
- http://[website]/cgi-bin/includer.cgi
- http://[website]/sgi-cgi/includer.cgi
- http://[website]/includer/cgi
- http://[website]/cgi-bin/include/includer.cgi
- http://[website]/scgi-bin/include/includer.cgi
- http://[website]/cgi-bin/inc/includer.cgi
- http://[website]/scgi-bin/inc/includer.cgi
- http://[website]/cgi-local/includer.cgi
- http://[website]/scgi-local/includer.cgi
- http://[website]/cgi/includer.cgi
- http://[website]/scgi/includer.cgi
- http://[website]/hints.pl
- http://[website]/cgi/hints.pl
- http://[website]/scgi/hints.pl
- http://[website]/cgi-bin/hints.pl
- http://[website]/scgi-bin/hints.pl
- http://[website]/hints/hints.pl
- http://[website]/cgi-bin/webhints/hints.pl
- http://[website]/scgi-bin/webhints/hints.pl
- http://[website]/hints.cgi
- http://[website]http://[website]/cgi/hints.cgi
- http://[website]/scgi/hints.cgi
- http://[website]/cgi-bin/hints.cgi
- http://[website]/scgi-bin/hints.cgi
- http://[website]/hints/hints.cgi
- http://[website]/cgi-bin/hints/hints.cgi
- http://[website]/scgi-bin/hints/hints.cgi
- http://[website]/webhints/hints.cgi
- http://[website]/cgi-bin/webhints/hints.cgi
- http://[website]/scgi-bin/webhints/hints.cgi
These URLs are related to these vulnerabilities:
- XML-RPC for PHP parseRequest() Function Arbitrary PHP Code Execution
(CVE-2005-1921)
- AWStats CONFIGDIR Parameter Arbitrary Command Execution
(CVE-2005-0116)
- WebHints Shell Command Injection Vulnerability
(CVE ID 2005-1950)
Users of these products are advised to contact the respective vendors for the updated patch information.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
