McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan-Downloader.Shell.Small.b (Kaspersky)

• UNIX_MARE.D (TrendMicro)

Characteristics

The detection for Generic Downloader are for several specific trojan variants written in Unix shell scripting languages, so this description is meant as a general guide. This detection is for trojans which are intended to retrieve and execute files from a remote server.  This file will then be automatically executed on the infected machine.  The nature of the remote file may vary. As the presence of these trojans and remote files are discovered, sites hosting these files are frequently taken down, so the downloading may cease to function as expected.  This may result in empty, 0 byte files or HTML error messages being downloaded instead, or the remote file simply not being downloaded at all.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection. Variants are likely to be packed with a PE packer, so enabling the scanning of compressed files will also provide optimal detection.

Exact details (filenames, file size) will vary between variants.

Typically this downloader variant will install itself and/or the remote file into the /tmp directory on Unix systems such as in the case of Linux/Lupper.worm.b :

• /tmp/supina
• /tmp/.temp/ping.txt

Symptoms

Perimeter or Desktop firewall application alerting that a foreign application or web server is attempting to access the Internet.

Method of Infection

This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Unix shell scripting based downloader trojans are typically installed during web server instrusions. These intrusions may be related to exploits relating to web server vulnerabilities, for example:

• XML-RPC for PHP parseRequest() Function Arbitrary PHP Code Execution  (CVE-2005-1921)
• AWStats CONFIGDIR Parameter Arbitrary Command Execution  (CVE-2005-0116)

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan-Downloader.Shell.Small.b (Kaspersky)

• UNIX_MARE.D (TrendMicro)

Characteristics

Characteristics -

The detection for Generic Downloader are for several specific trojan variants written in Unix shell scripting languages, so this description is meant as a general guide. This detection is for trojans which are intended to retrieve and execute files from a remote server.  This file will then be automatically executed on the infected machine.  The nature of the remote file may vary. As the presence of these trojans and remote files are discovered, sites hosting these files are frequently taken down, so the downloading may cease to function as expected.  This may result in empty, 0 byte files or HTML error messages being downloaded instead, or the remote file simply not being downloaded at all.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection. Variants are likely to be packed with a PE packer, so enabling the scanning of compressed files will also provide optimal detection.

Exact details (filenames, file size) will vary between variants.

Typically this downloader variant will install itself and/or the remote file into the /tmp directory on Unix systems such as in the case of Linux/Lupper.worm.b :

• /tmp/supina
• /tmp/.temp/ping.txt

Symptoms

Symptoms -

Perimeter or Desktop firewall application alerting that a foreign application or web server is attempting to access the Internet.

Method of Infection

Method of Infection -

This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Unix shell scripting based downloader trojans are typically installed during web server instrusions. These intrusions may be related to exploits relating to web server vulnerabilities, for example:

• XML-RPC for PHP parseRequest() Function Arbitrary PHP Code Execution  (CVE-2005-1921)
• AWStats CONFIGDIR Parameter Arbitrary Command Execution  (CVE-2005-0116)

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A