SecurityHome.eu Worm.Linux.Mare.D

Home / malware PDF

Worm.Linux.Mare.D

First posted on 21 November 2011.
Source: BitDefender
Aliases :
There are no other names known for Worm.Linux.Mare.D.
Explanation :
This worm is compiled with gcc. The virus scans for port 80 on random IP addresses. If one of these computers has a XML-RPC for PHP Remote Code Injection vulnerability (Bugtraq ID 14088 , http://mamboserver.com/ ), the worm sends several commands to the victim computer (that download the worm using wget).

Once a computer is infected , the worm send a notification message (via UDP) on attacker server , port 25555. The worm opens 500 TCP conections at once while scanning for vulnerability on hosts. This increses CPU usage (many syncronize conections (SYN) can be seen using "netstat" linux application).

The worm also tries to download itself on victim computer (using php/xml vulnerabilities) from the following address http://209.123.16.34/ .
Last update 21 November 2011

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20