My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2018-05-06

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
  • iptables -I INPUT -p tcp --destination-port 23 -j ACCEPT
  • iptables -I INPUT -p tcp --destination-port 80 -j DROP
  • iptables -I INPUT -p tcp --destination-port 8080 -j DROP
Launches processes:
  • sh -c echo 3 > /proc/sys/vm/drop_caches
  • sh -c killall telnetd utelnetd scfgmgr
  • sh -c iptables -I INPUT -p tcp --destination-port 23 -j ACCEPT
  • sh -c iptables -I INPUT -p tcp --destination-port 8080 -j DROP
Attempts to kill the following processes:
  • killall telnetd utelnetd scfgmgr
Kills the following processes:
  • <SAMPLE>
Performs operations with the file system:
Deletes folders:
Creates or modifies files:
  • /proc/sys/vm/drop_caches
  • /root/
Deletes files:
Network activity:
Awaits incoming connections on ports:
Establishes connection:
  • 8.#.8.8:53
  • 19#.##2.241.236:123
  • 91.###.89.199:123
  • 85.##.78.23:123
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
  • 85.##.78.23:123
Receives data from the following servers:
  • 85.##.78.23:123

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number