FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.Packed.328

Added to the Dr.Web virus database: 2019-03-05

Virus description added: 2019-03-05

Technical Information

Malicious functions:

Removes itself

Launches itself as a daemon

Substitutes application name for:

ojsske
[kthrtld]

Launches processes:

sh -c /root/rfqbge brxoed
/root/rfqbge brxoed
sh -c /root/xoedme
sh -c /root/fytgoe crfytg
/root/fytgoe crfytg
sh -c /root/lbgite
/root/lbgite

Kills system processes:

sshd

Kills the following processes:

kauditd
systemd-journal
systemd-udevd
kpsmoused
kworker/0:3
ttm_swap
kvm-irqfd-clean
dhclient
rpcbind
rpc.statd
rpciod
nfsiod
rpc.idmapd
cron
atd
systemd-logind
rsyslogd
acpid
dbus-daemon
agetty
exim4
systemd
(sd-pam)
bash
run.sh
kworker/u2:1
/bin/sh
Unknown process with PID: 736

Performs operations with the file system:

Modifies file access rights:

/root/rfqbge
/root/xoedme
/root/fytgoe
/root/lbgite

Creates or modifies files:

/root/rfqbge
/root/xoedme
/root/fytgoe
/root/lbgite

Deletes files:

/root/rfqbge
/root/xoedme
/root/fytgoe
/root/lbgite

Network activity:

Establishes connection:

95.###.153.229:80

HTTP GET requests:

18#.##5.169.6/d/sss
18#.###.169.6/d/lmmml

Sends data to the following servers:

95.###.153.229:80

Receives data from the following servers:

95.###.153.229:80

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number