Virus Detail

Linux/Lupper.B

Date Published:
7 Nov 2005

Last Updated:
17 Nov 2005

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: High

Pervasiveness: Medium

Characteristics

Type : Worm

Category : Linux

Also known as: Linux/Lupper.worm (McAfee)

Immediate Protection Info

Signature	Product	Removal Instructions
11.x/9498	eTrust Antivirus v7/8* (Vet Engine)	View
6.2x/9498	eTrust EZ Antivirus 6.2x	View
6.3x/9498	eTrust EZ Antivirus 6.3x	View
6.4x/9498	eTrust EZ Antivirus 6.4x	View
7.x/9498	eTrust EZ Antivirus 7.x	View
10.6x/9498	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Distribution

Payload

For additional information:

Description

Lupper.B is a worm designed to spread through web servers by exploiting four different security vulnerabilities. This variant has been distributed as 35,567-byte I386 ELF program.

Method of Distribution

Via Exploits

Lupper attempts to execute a simple set of four commands on a remote server:

Change folder to /tmp
Download a copy of the worm named “lupii” from a particular hard-coded IP address using Wget
Modify its execution attributes
Execute the downloaded copy of the worm

The worm sends the above commands by exploiting the following vulnerabilities:

AWStats Rawlog Plugin Input Vulnerability (Bugtraq 10950)
XML-RPC for PHP Remote Code Execution Exploit (CAN-2005-1921) (Bugtraq 14088)
Webhints Remote Command Execution (CAN-2005-1950) (Bugtraq 13930)
Includer Remote Command Execution (CVE-2005-0689) (Bugtraq 12738)

Trying to exploit the AWStats vulnerability, the worm attempts to submit its commands to the awstats.pl script at the following locations:

/cgi-bin/awstats.pl
/scgi-bin/awstats.pl
/awstats/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi/awstats/awstats.pl
/scgi/awstats/awstats.pl
/scripts/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi-bin/stats/awstats.pl
/scgi-bin/stats/awstats.pl
/stats/awstats.pl

Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its commands to the following scripts:

/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php

Trying to exploit the Webhints vulnerability, the worm attempts to submit its commands to the following scripts:

/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi

Trying to exploit the Includer vulnerability, the worm attempts to submit its commands to the following scripts:

/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi