Hello, Got this from a trend-micro newsletter. Clamav is sufficient.
2. Faker – ELF_FAKEPATCH.A (Low Risk) ------------------------------------------------------------------------ ELF_FAKEPATCH.A is an executable that runs on Linux. ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables. It arrives via email, and retrieves network configuration and system information. The information is saved in the file "mama", and sent to a specific email address.
The email it sends is designed to trick users into believing it is a legitimate email sent by the RedHat Security Team, regarding critical security patches that must be downloaded. The email includes links to downloadable files, and encourages the recipients to click the links to download the patches.
When one of the specific files mentioned in the email is downloaded, the following files are found:
Inst.c – source code of this malware Makefile – used to compile inst.c
When this Elf executable is already compiled, it produces the shell code that retrieves information from a machine. The shell code first checks whether it is executed in the root level. If not, it displays the following line in a console:
This patch must be applied as "root", and you are: %User% (Note: %User% is the currently logged on user.)
Afterward, it adds a user named "bash" with a null password and creates the file "mama" inside the temporary folder. It then obtains network configuration and system information, and saves it in the file mama. Next, it sends this file to the email address [EMAIL PROTECTED] It then deletes the file from the system and starts SSHD (Secure Shell Server). Note: A Secure Shell Server provides secure encrypted communications between untrusted hosts over an untrusted network. It allows users to connect to a system from another system via TCP/IP, and obtain a shell prompt, from which they can issue commands and view output.
If you would like to scan your computer for ELF_FAKEPATCH or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/
ELF_FAKEPATCH.A is detected and cleaned by Trend Micro pattern file #2.227.08 and above.
For additional information about ELF_FAKEPATCH please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF_FAKEPATCH.A
best,
A. Mani Member, Cal. Math. Soc.
-- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/node.php?id=3
