My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2019-02-07

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • hinc
  • vrye
  • sdxh
  • jelj
Launches processes:
  • sh -c /usr/bin/mand vrye
  • /usr/bin/mand vrye
  • sh -c /root/esmg sdxh
  • /root/esmg sdxh
  • sh -c /root/jelj jelj
  • /root/jelj jelj
Kills system processes:
  • sshd
Kills the following processes:
  • atd
  • bash
  • (sd-pam)
Performs operations with the file system:
Modifies file access rights:
  • /usr/bin/mand
  • /root/esmg
  • /root/jelj
  • /bin/bash
  • /usr/bin/wget
  • /usr/bin/python3.4
  • /usr/bin/python2.7
  • /usr/bin/perl
  • /bin/echo
Creates or modifies files:
  • /usr/bin/mand
  • /root/esmg
  • /root/p
  • /root/jelj
Deletes files:
  • /usr/bin/mand
  • /root/esmg
  • /root/p
Network activity:
HTTP GET requests:
  • 18#.###.169.6/jp/sds
  • 18#.###.169.6/jp/jpp
  • 18#.###.169.6/jp/nvn

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number