UNIX_DARLLOZ.A
Linux.Darlloz (Symantec), Linux/Darlloz.A worm (ESET)
Linux
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm exploits software vulnerabilities to propagate to other computers across a network.
TECHNICAL DETAILS
Arrival Details
This worm may arrive via network shares.
Installation
This worm drops the following copies of itself into the affected system:
- /tmp/x86
It creates the following folders:
- /var/run/.zollard/
Other System Modifications
This worm deletes the following files:
- /var/run/.lightscan
- /var/run/lightscan
- /var/run/mipsel
- /var/run/mips
- /var/run/sh
- /var/run/arm
- /var/run/ppc
- /var/run/m
- /var/run/mi
- /var/run/s
- /var/run/a
- /var/run/p
- /var/run/msx
- /var/run/mx
- /var/run/sx
- /var/run/ax
- /var/run/px
- /var/run/32
- /var/run/sel
- /var/run/pid
- /var/run/gcc
- /var/run/dev
- /var/run/psx
- /var/run/mpl
- /var/run/mps
- /var/run/sph
- /var/run/arml
- /var/run/mips.l
- /var/run/mipsell
- /var/run/ppcl
- /var/run/shl
- /bin/pp
- /bin/mi
- /bin/mii
- /var/tmp/dreams.install.sh
- /var/tmp/ep2.ppc
- /usr/bin/wget
- /usr/bin/-wget
Propagation
This worm exploits the following software vulnerabilities to propagate to other computers across a network:
- CVE-2013-1823
Process Termination
This worm terminates the following processes if found running in the affected system's memory:
- telnetd
NOTES:
This malware generates random IP addresses and attempts to access them. If an accessible IP address is found, it attempts to access the following directories:
- /cgi-bin/php
- /cgi-bin/php5
- /cgi-bin/php-cgi
- /cgi-bin/php.cgi
- /cgi-bin/php4
It uses the following list of user names and passwords to access the locations mentioned above in case they are password-protected:
- root
- 1234
- 12345
- dreambox
- smcadmin
It loads the following modules (iptables):
- /lib/modules/{kernel version}/kernel/net/ipv4/netfilter/ip_tables.ko
- /lib/modules/{kernel version}/kernel/net/ipv4/netfilter/iptable_filter.ko
It drops TCP packets on port 23. As a result, telnet communications are blocked in the affected system.
It terminates and deletes the following processes and files:
- /var/run/.lightpid
- /var/run/.aidrapid
- /var/run/lightpid
SOLUTION
Step 1
Scan your computer with your Trend Micro product to delete files detected as UNIX_DARLLOZ.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Search and delete these folders
- var/run/.zollard/
Step 3
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
Step 4
Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.
- https://bugs.php.net/patch-display.php?bug_id=61910&patch=CVE-2012-1823.patch&revision=latest
Did this description help? Tell us how we did.