Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Packed.444

Added to the Dr.Web virus database: 2019-06-09

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • utduvm
  • vesdum
  • vqobgv
  • glug
  • * **
  • ufw
  • cbpr
Launches processes:
  • sh -c crontab -r ; rm -rf /tmp/* ; rm -rf /tmp/.* ; rm -rf /dev/shm/* ; rm -rf /dev/shm/.* ; rm -rf /home/confluence/.cache/.scr ; rm -rf /home/confluence/.cache/ ; chmod 0000 /usr/bin/py* ; chmod 000 /usr/bin/wge* ; chmod 000 /usr/bin/cu* ; chmod 0000 /usr/bin/cron* ; chmod 0000 /usr/bin/[kt* ; chmod 000 /usr/bin/cro* ; rm -rf /var/spool/cron/*/* ; rm -rf /var/spool/ana*/*/* ; pkill -f curl ; pkill -9 pyt* ; rm -rf $HOME/.cache/.* ; mkdir $HOME/.cache ; chmod -r 0000 $HOME/.cach* ; rm -rf /var/spool/cron/confluen*
  • crontab -r
  • rm -rf /tmp/*
  • rm -rf /tmp/. /tmp/.. /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix
  • rm -rf /dev/shm/*
  • rm -rf /dev/shm/. /dev/shm/..
  • rm -rf /home/confluence/.cache/.scr
  • rm -rf /home/confluence/.cache/
  • chmod 0000 /usr/bin/py3clean /usr/bin/py3compile /usr/bin/py3versions /usr/bin/pybuild /usr/bin/pyclean /usr/bin/pycompile /usr/bin/pydoc /usr/bin/pydoc2.7 /usr/bin/pydoc3 /usr/bin/pydoc3.4 /usr/bin/pygettext /usr/bin/pygettext2.7 /usr/bin/pygettext3 /usr/bin/pygettext3.4 /usr/bin/pygmentize /usr/bin/python /usr/bin/python-config /usr/bin/python2 /usr/bin/python2-config /usr/bin/python2.7 /usr/bin/python2.7-config /usr/bin/python3 /usr/bin/python3.4 /usr/bin/python3.4m /usr/bin/python3m /usr/bin/pythontex /usr/bin/pythontex3 /usr/bin/pyversions
  • chmod 000 /usr/bin/wget
  • chmod 000 /usr/bin/cut
  • chmod 0000 /usr/bin/crontab
  • chmod 0000 /usr/bin/[kt*
  • chmod 000 /usr/bin/crontab
  • rm -rf /var/spool/cron/*/*
  • rm -rf /var/spool/ana*/*/*
  • pkill -f curl
  • pkill -9 pyt*
  • rm -rf /root/.cache/.*
  • mkdir /root/.cache
  • chmod -r 0000 /root/.cache
  • rm -rf /var/spool/cron/confluen*
  • sh -c /tmp/iikbws
  • /tmp/iikbws
  • sh -c /tmp/xcwxpf
  • /tmp/xcwxpf
  • sh -c /tmp/oryjls glug
  • /tmp/oryjls glug
  • sh -c /tmp/psfh
  • /tmp/psfh
  • sh -c /tmp/wcosyp jigb
  • /tmp/wcosyp jigb
  • sh -c /tmp/borrti cbpr
  • /tmp/borrti cbpr
  • sh -c /tmp/vbmbmc ouop
Kills system processes:
  • sshd
Kills the following processes:
  • run.sh
  • bash
  • systemd
  • /bin/sh
  • /tmp/iikbws
  • (sd-pam)
  • Unknown process with PID: 787
  • Unknown process with PID: 779
  • Unknown process with PID: 775
  • /tmp/oryjls
  • /tmp/psfh
  • wcosyp
  • /tmp/wcosyp
  • Unknown process with PID: 0
Performs operations with the file system:
Modifies file access rights:
  • /usr/bin/py3clean
  • /usr/bin/py3compile
  • /usr/share/python3/py3versions.py
  • /usr/share/dh-python/pybuild
  • /usr/bin/pyclean
  • /usr/bin/pycompile
  • /usr/bin/pydoc2.7
  • /usr/bin/pydoc3.4
  • /usr/bin/pygettext2.7
  • /usr/bin/pygettext3.4
  • /usr/bin/pygmentize
  • /usr/bin/python2.7
  • /usr/bin/x86_64-linux-gnu-python2.7-config
  • /usr/bin/python3.4
  • /usr/bin/python3.4m
  • /usr/share/texlive/texmf-dist/scripts/pythontex/pythontex.py
  • /usr/bin/pythontex3
  • /usr/share/python/pyversions.py
  • /usr/bin/wget
  • /usr/bin/cut
  • /usr/bin/crontab
  • /root/.cache
  • /dev/urandom
  • /usr/bin/perl
  • /usr/bin/mawk
  • /usr/bin/xargs
  • /bin/sed
  • /tmp/iikbws
  • /tmp/xcwxpf
  • /tmp/oryjls
  • /tmp/psfh
  • /tmp/wcosyp
  • /tmp/borrti
  • /tmp/vbmbmc
Creates folders:
  • /root/.cache
Creates or modifies files:
  • /tmp/iikbws
  • /tmp/xcwxpf
  • /tmp/oryjls
  • /tmp/c
  • /tmp/psfh
  • /tmp/wcosyp
  • /tmp/jigb
  • /tmp/borrti
  • /tmp/vbmbmc
Deletes files:
  • /tmp/*
  • /dev/shm/*
  • /home/confluence/.cache/.scr
  • /home/confluence/.cache/
  • /var/spool/cron/*/*
  • /var/spool/ana*/*/*
  • /root/.cache/.*
  • /var/spool/cron/confluen*
  • /tmp/oryjls
  • /tmp/psfh
  • /tmp/wcosyp
  • /tmp/jigb
  • /tmp//xcwxpf
  • /tmp//borrti
  • /tmp//iikbws
Network activity:
HTTP GET requests:
  • 95.###.142.161/c/cf
  • 12#.###.217.239/c/cdc
  • 12#.###.217.239/c/coooc
  • 12#.###.217.239/c/nap
  • 12#.###.217.239/c/dth
Sends data to the following servers:
  • 45.##.54.157:80
Receives data from the following servers:
  • 45.##.54.157:80
Other:
Collects CPU information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number