Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Packed.77

Added to the Dr.Web virus database: 2018-05-06

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Modifies firewall settings:
  • iptables -I INPUT -p tcp --destination-port 23 -j ACCEPT
  • iptables -I INPUT -p tcp --destination-port 80 -j DROP
  • iptables -I INPUT -p tcp --destination-port 8080 -j DROP
Launches processes:
  • sh -c echo 3 > /proc/sys/vm/drop_caches
  • sh -c killall telnetd utelnetd scfgmgr
  • sh -c iptables -I INPUT -p tcp --destination-port 23 -j ACCEPT
  • sh -c iptables -I INPUT -p tcp --destination-port 8080 -j DROP
Attempts to kill the following processes:
  • killall telnetd utelnetd scfgmgr
Kills the following processes:
  • <SAMPLE>
Performs operations with the file system:
Deletes folders:
  • <SAMPLE_FULL_PATH>
Creates or modifies files:
  • /proc/sys/vm/drop_caches
  • /root/catrunv1.2.pid
Deletes files:
  • <SAMPLE_FULL_PATH>
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:12399
  • 0.0.0.0:23
Establishes connection:
  • 8.#.8.8:53
  • <LOCAL_DNS_SERVER>
  • 19#.##2.241.236:123
  • 91.###.89.199:123
  • 85.##.78.23:123
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
  • nt#.#buntu.com
  • po##.ntp.org
Sends data to the following servers:
  • 85.##.78.23:123
Receives data from the following servers:
  • 85.##.78.23:123

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number