Threat Description



Category: Worm
Platform: W32
Aliases: Mare.D, Net-Worm.Linux.Mare.d, Linux.Plupii.C, Unix/ShellBot.C


Mare.D is a network worm that propagates by exploiting vulnerabilities in the Mambo content management system and the PHP XML-RPC library. The worm installs several backdoors to the compromised system.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The main component of the Mare.D worm is written in C and compiled with the GNU C compiler. Mare.D consists of several components, written in C, shell script and Perl.


Mare.D scans random hosts for vulnerable installations of the Mambo content management system and PHP XML-RPC.

Exploiting these vulnerabilities the worm downloads a small shell script that installs the rest of the components:

  • /tmp/.temp/cb - Connectback shell backdoor
  • /tmp/.temp/https - IRC-controlled backdoor
  • /tmp/.temp/ping.txt - Connectback shell backdoor
  • /tmp/.temp/httpd - Main worm component

During infection Mare.D installs several backdoors to the compromised system. Two of them, 'cb' and 'ping.txt' are connectback shell backdoors, that connect to a remote host on 8080/TCP and open an interactive shell on the infected host. The third one is an IRC-controlled backdoor, written in Perl, which joins an IRC channel an awaits commands.

The main component of the worm also listens on 27015/UDP port for commands from the worm author. Through this port the attacker can issue different commands, for example update of the main component.


Mare.D is detected with the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2006-02-17_02

Description Details: Gergely Erdelyi, February 20, 2006
Technical Details:Gergely Erdelyi, February 20, 2006
Description Last Modified: Gergely Erdelyi, February 20, 2006


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More