Linux.Mare.K

Linux.Mare.K is a worm that spreads by exploiting vulnerabilities. The worm opens a back door and downloads and executes remote files on the compromised computer.

Once executed, the worm attempts to open a back door by connecting to the following servers:
81.223.104.152
24.224.174.18

The worm may receive the following commands from the remote attacker through the back door:
Update the worm
Execute files
Terminate the worm

The worm then downloads and executes the following executable file from the above servers:
listen

If the above file already exists on the compromised computer the worm will download the following file, which is an updated version of the program:
update.listen

The worm logs its activities to the following file:
listen.log

The worm attempts to exploit the XML-RPC for PHP Remote Code Injection Vulnerability (BID 14088) and the Mambo Open Source Multiple Input Validation Vulnerabilities (BID 11220). If successful, the worm downloads and executes a file from the following locations:
http://131.220.92.80/cacat (A copy of PHP.Backdoor.Trojan)
http://131.220.92.80/cmd.gif (A copy of Trojan.Horse)

The downloaded files are copies of other threats and may attempt to download and execute the following files:
131.220.92.80/r (A copy of Backdoor.Kaiten)
131.220.92.80/curios (A copy of Linux.Mare)


The location of the downloaded files will depend on the folder in which the worm was executed. This location of this folder will depend on the location of the WWW and PHPBB folders on the compromised computer.

Summary