The main component of the Mare.D worm is written in C and compiled with the GNU C compiler. Mare.D consists of several components, written in C, shell script and Perl.
Mare.D scans random hosts for vulnerable installations of the Mambo content management system and PHP XML-RPC.
Exploiting these vulnerabilities the worm downloads a small shell script that installs the rest of the components:
- /tmp/.temp/cb - Connectback shell backdoor
- /tmp/.temp/https - IRC-controlled backdoor
- /tmp/.temp/ping.txt - Connectback shell backdoor
- /tmp/.temp/httpd - Main worm component
During infection Mare.D installs several backdoors to the compromised system. Two of them, 'cb' and 'ping.txt' are connectback shell backdoors, that connect to a remote host on 8080/TCP and open an interactive shell on the infected host. The third one is an IRC-controlled backdoor, written in Perl, which joins an IRC channel an awaits commands.
The main component of the worm also listens on 27015/UDP port for commands from the worm author. Through this port the attacker can issue different commands, for example update of the main component.