Net-Worm.Linux.Mighty (Kaspersky Lab)
is also known as:
Worm.Linux.Mighty (Kaspersky Lab),
Linux/Mighty.worm (McAfee), Linux.Slapper.D (Symantec), Linux.Slapper.19050 (Doctor Web), Linux/Devnull-A (Sophos), Linux/Mighty.worm (RAV), ELF_MIGHTY.A (Trend Micro), Unix/Mighty.A (FRISK), ELF:Malware (ALWIL), Linux/Mighty.A (Grisoft), Linux.Worm.Slapper.D (SOFTWIN), Linux/Slapper.D (Panda), Linux/Mighty.A (Eset)
"Mighty" is an Internet worm that infects Linux machines running the popular
"Apache" web server software. It does that by exploiting a vulnerability in
the "Secure Sockets Layer" SSL "mod_ssl" interface code of the server which
was originally reported on July 30, 2002, and listed by the Computer Emergency
Response Team (CERT) as the Vulnerability Note
VU#102795.
The configurations vulnerable to the specific exploit implementation used
by the worm are Intel x86 Linux Apache installations with OpenSSL older than
0.9.6e and 0.9.7-beta. Updating to one of these two versions or other more recent
releases will patch the vulnerability and prevent the worm from infecting the
system.
The main worm replication component is about 19KB in size, and uses the exploit
code from the popular "Slapper" worm.
Besides infecting more computers to spread further, the worm will also act
as a backdoor on the victim system, connecting to an IRC server and joining
a special channel from where it receives the orders. It's worth noticing the
backdoor component of the worm is based on the popular 'Age of Kaiten' IRC bot
source, used in many other IRC malware.
At the time of writing of this description, the worm is reported to have infected
around 1600 systems worldwide.
