Linux.MulDrop.27
Added to the Dr.Web virus database:
2018-01-30
Virus description added:
2018-01-30
Technical Information
Malicious functions:
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- clear
- rm -r matris
- rm -r 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
- useradd -m -p 123 tardis
- nscd -i passwd
- nscd -i group
Performs operations with the file system:
Modifies file access rights:
- /home/tardis
- /home/tardis/.bashrc
- /home/tardis/.bash_logout
- /home/tardis/.profile
- /etc/passwd+
- /etc/shadow+
- /etc/group+
- /etc/gshadow+
- /etc/subuid+
- /etc/subgid+
Creates folders:
Creates symlinks:
- /etc/passwd.lock"
- /etc/group.lock"
- /etc/gshadow.lock"
- /etc/subuid.lock"
- /etc/subgid.lock"
- /etc/shadow.lock"
Creates or modifies files:
- /etc/.pwd.lock
- /etc/passwd.713
- /etc/group.713
- /etc/gshadow.713
- /etc/subuid.713
- /etc/subgid.713
- /etc/shadow.713
- /var/log/faillog
- /var/log/lastlog
- /home/tardis/.bashrc
- /home/tardis/.bash_logout
- /home/tardis/.profile
- /etc/passwd-
- /etc/passwd+
- /etc/shadow-
- /etc/shadow+
- /etc/group-
- /etc/group+
- /etc/gshadow-
- /etc/gshadow+
- /etc/subuid-
- /etc/subuid+
- /etc/subgid-
- /etc/subgid+
- /etc/hosts
Deletes files:
- /usr"/matris"
- /usr"/1"
- /usr"/2"
- /usr"/3"
- /usr"/4"
- /usr"/5"
- /usr"/6"
- /usr"/7"
- /usr"/8"
- /usr"/9"
- /usr"/10"
- /usr"/11"
- /usr"/12"
- /usr"/13"
- /usr"/14"
- /usr"/15"
- /usr"/16"
- /usr"/17"
- /usr"/18"
- /usr"/19"
- /usr"/20"
- /usr"/21"
- /usr"/22"
- /usr"/23"
- /usr"/24"
- /usr"/25"
- /usr"/26"
- /usr"/27"
- /usr"/28"
- /usr"/29"
- /usr"/30"
- /etc/passwd.713"
- /etc/group.713"
- /etc/gshadow.713"
- /etc/subuid.713"
- /etc/subgid.713"
- /etc/shadow.713"
- /etc/shadow.lock"
- /etc/passwd.lock"
- /etc/group.lock"
- /etc/gshadow.lock"
- /etc/subuid.lock"
- /etc/subgid.lock"
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息