Linux.Plupii.B

Linux.Plupii.B was renamed from Linux.Plupii.C

Linux.Plupii.B is a worm with back door capabilities that spreads by exploiting vulnerabilities.

Once executed, the worm sends a notification message to the author of the threat to a remote IP address, through UDP port 7555.

Next, the worm generates URLs which include the following strings:
/awstats/
/cgi-bin/
/cgi-bin/awstats/
/xmlrpc.php
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php

The worm then sends HTTP requests to the URLs it generates, and attempts to spread by exploiting the following Web server-related vulnerabilities:
The XML-RPC for PHP Remote Code Injection vulnerability (BID 14088)
The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (BID 10950)
The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (BID 13930)

When the worm finds a vulnerable script, it downloads a copy of itself from the following Web site:
http://24.224.174.18/nikon

This copy of the worm will be saved as the following file, which it will attempt to execute:
/tmp/nikon

This variant of the worm contains bits of code from the previous version which are never used, such as attempting to download a copy of itself from the following Web site:
62.101.193.244/lupii

This copy of the worm, if successful, will be saved as the following file, which it will attempt to execute:
/tmp/lupii

The worm opens a back door on UDP port 7555, which enables a remote attacker to have unauthorized access to the compromised computer.

Summary