Virus Information

Prevalence: orange

Medium

Name: Worm.Linux.Mare.D

Type:

How it spreads: This worm is compiled with gcc. The virus scans for port 80 on random IP addresses. If one of these computers has a XML-RPC for PHP Remote Code Injection vulnerability (Bugtraq ID 14088 , http://mambo

Affected operating:

Aliases:

Date of surface: Feb 21 2006 12:00AM

This worm is compiled with gcc. The virus scans for port 80 on random IP addresses. If one of these computers has a XML-RPC for PHP Remote Code Injection vulnerability (Bugtraq ID 14088 , http://mamboserver.com/ ),the worm sends several commands to the victim computer (that download the worm using wget).
Once a computer is infected , the worm send a notification message (via UDP) on attacker server , port 25555. The worm opens 500 TCP connections at once while scanning for vulnerability on hosts. This increses CPU usage (many synchronize connections (SYN) can be seen using "netstat" linux application).

The worm also tries to download itself on victim computer (using php/xml vulnerabilities) from the following address http://209.123.16.34/ .

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.

You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.

Alternatively, you can install MicroWorld�s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.

Back

Virus Information

Products

Partner

Support

About Us