So let us see what it needs to work
1 php-cgi
2 An Intel x86 arch
You probably do not have that so you can relax. The exploit is done in php-cgi which most people and sites do not use. And a patch is already provided so it will only affect older PHP versions.
So if you have un-patched PHP this might happen:
"Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," the Symantec researchers explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target."
The only variant seen to be spreading so far targets x86 systems, because the malicious binary downloaded from the attacker's server is in ELF (Executable and Linkable Format) format for Intel architectures.
So your Linux desktop is pretty much as safe as ever from this worm.
What Symantec has verified is that the malicious server also holds a variant of the worm for ARM , PPC, MIPS and MIPSEL on the same server.
And even if no infection has ever been found - these are clearly targeted against smartphones, routers and gadgets in general.
But so far they have not infected anything as far as we know - so they might not be all to successful.
In fact this worm warning is more of a marketing campaign than a threat.
If you full fill all the requirements to be infected it should be enough to block HTTP POST requests to the following paths at the gateway or on each device:
- -/cgi-bin/php
-/cgi-bin/php5
-/cgi-bin/php-cgi
-/cgi-bin/php.cgi
-/cgi-bin/php4
Symantec recommends 4 more steps but they will never happen if you block the requests as shown above.
And that wont even be necessary if you update your system to the patched php versions.
Still something is cooking - and we will continue to watch and comment on every existing virus for Linux here.
More here