Linux.Packed.333
Added to the Dr.Web virus database:
2019-03-13
Virus description added:
2019-03-13
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
Launches processes:
- sh -c ufw disable; iptables -F; echo nameserver 8.8.8.8 > /etc/resolv.conf; chattr -i /sbin/mdmisc; rm -f /sbin/mdmisc;
- chattr -i /sbin/mdmisc
- rm -f /sbin/mdmisc
- sh -c chmod +x /sbin/mdmisc; touch -acmr /bin/sh /sbin/mdmisc; /sbin/mdmisc;
- chmod +x /sbin/mdmisc
- touch -acmr /bin/sh /sbin/mdmisc
- /sbin/mdmisc
- sh -c chattr -i /etc/init.d/mdmisc;rm -f /etc/init.d/mdmisc /etc/rc2.d/S20mdmisc /etc/rc3.d/S20mdmisc /etc/rc4.d/S20mdmisc /etc/rc5.d/S20mdmisc;
- chattr -i /etc/init.d/mdmisc
- rm -f /etc/init.d/mdmisc /etc/rc2.d/S20mdmisc /etc/rc3.d/S20mdmisc /etc/rc4.d/S20mdmisc /etc/rc5.d/S20mdmisc
- sh -c touch -acmr /bin/sh /usr/local/lib/libftp.so; chattr +i /usr/local/lib/libftp.so;
- touch -acmr /bin/sh /usr/local/lib/libftp.so
- chattr +i /usr/local/lib/libftp.so
- sh -c chattr -i /var/spool/mail/root; echo 0 > /var/spool/mail/root; chmod 0 /var/spool/mail/root; chattr +i /var/spool/mail/root;
- chattr -i /var/spool/mail/root
- chmod 0 /var/spool/mail/root
- chattr +i /var/spool/mail/root
- sh -c chattr -i /etc/ld.so.preload; rm -f /etc/ld.so.preload; echo /usr/local/lib/libftp.so > /etc/ld.so.preload;
- chattr -i /etc/ld.so.preload
- rm -f /etc/ld.so.preload
- sh -c touch -acmr /bin/sh /etc/ld.so.preload; chattr +i /etc/ld.so.preload;
- touch -acmr /bin/sh /etc/ld.so.preload
- chattr +i /etc/ld.so.preload
- sh -c chattr -i /usr/bin/wget; mv /usr/bin/wget /usr/bin/tegw
- chattr -i /usr/bin/wget
- mv /usr/bin/wget /usr/bin/tegw
- sh -c chattr -i /usr/bin/curl; mv /usr/bin/curl /usr/bin/lruc
Performs operations with the file system:
Modifies file access rights:
- /sbin/mdmisc
- /var/mail/root
Creates or modifies files:
- /etc/resolv.conf
- /sbin/mdmisc
- /usr/local/lib/libftp.so
- /var/spool/mail/root
- /var/mail/root
- /etc/ld.so.preload
- /usr/bin/wget
Deletes files:
- /sbin/mdmisc
- /etc/init.d/mdmisc
- /etc/rc2.d/S20mdmisc
- /etc/rc3.d/S20mdmisc
- /etc/rc4.d/S20mdmisc
- /etc/rc5.d/S20mdmisc
- /etc/ld.so.preload
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 19#.##.45.242:26750
- 8.#.8.8:53
- 10#.##.167.54:80
HTTP GET requests:
- yx###h.shop/263
- yx###h.shop/162
DNS ASK:
Sends data to the following servers:
Receives data from the following servers:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息