Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/init.d/rcS_bak
- /etc/init.d/rcS
Malicious functions:
Launches processes:
- sh -c /bin/busybox cp <SAMPLE_FULL_PATH> /var/tmp/
- /bin/busybox cp <SAMPLE_FULL_PATH> /var/tmp/
- sh -c /busybox cp <SAMPLE_FULL_PATH> /tmp/
- /busybox cp <SAMPLE_FULL_PATH> /tmp/
- sh -c /bin/busybox cp <SAMPLE_FULL_PATH> /bin/
- /bin/busybox cp <SAMPLE_FULL_PATH> /bin/
- sh -c cp ~/.bash_profile ~/.bash_bak
- cp /root/.bash_profile /root/.bash_bak
- sh -c echo 'cd /tmp;<SAMPLE_FULL_PATH> self.load;cd' >> ~/.bash_profile
- sh -c echo 'cd /var/tmp/;<SAMPLE_FULL_PATH> self.load;cd' >> ~/.bash_profile
- sh -c echo 'cd /bin/;<SAMPLE_FULL_PATH> self.load;cd' >> ~/.bash_profile
- sh -c /bin/busybox cp /etc/init.d/rcS /etc/init.d/rcS_bak
- /bin/busybox cp /etc/init.d/rcS /etc/init.d/rcS_bak
- sh -c /bin/busybox echo 'cd /tmp/;<SAMPLE_FULL_PATH> self.load;cd' >> /etc/init.d/rcS
- /bin/busybox echo cd /tmp/;<SAMPLE_FULL_PATH> self.load;cd
- sh -c /bin/busybox echo 'cd /var/tmp/;<SAMPLE_FULL_PATH> self.load;cd' >> /etc/init.d/rcS
- /bin/busybox echo cd /var/tmp/;<SAMPLE_FULL_PATH> self.load;cd
- sh -c /bin/busybox echo 'cd /bin/;<SAMPLE_FULL_PATH> self.load;cd' >> /etc/init.d/rcS
- /bin/busybox echo cd /bin/;<SAMPLE_FULL_PATH> self.load;cd
Performs operations with the file system:
Creates or modifies files:
- /var/tmp/<SAMPLE>
- /bin/<SAMPLE>
- /root/.bash_profile
Network activity:
Establishes connection:
- 8.#.8.8:53
