Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Mirai.3084

Added to the Dr.Web virus database: 2019-07-21

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • /bin/busybox
Launches processes:
  • /bin/sh -c cd /bin/; cat tftp > tftp-cpy; cat <SAMPLE_FULL_PATH> > tftp
  • cat tftp
  • cat <SAMPLE_FULL_PATH>
  • /bin/sh -c chmod 777 tftp
  • chmod 777 tftp
  • /bin/sh -c cd /bin/; cat rm > rm-cpy; cat <SAMPLE_FULL_PATH> > rm
  • cat rm
  • /bin/sh -c chmod 777 rm
  • chmod 777 rm
  • /bin/sh -c cd /bin/; cat kill > kill-cpy; cat <SAMPLE_FULL_PATH> > kill
  • cat kill
  • /bin/sh -c chmod 777 kill
  • chmod 777 kill
  • /bin/sh -c cd /bin/; cat cd > cd-cpy; cat <SAMPLE_FULL_PATH> > cd
  • cat cd
  • /bin/sh -c chmod 777 cd
  • chmod 777 cd
  • /bin/sh -c cd /sbin/; cat tftp > tftp-cpy; cat <SAMPLE_FULL_PATH> > tftp
  • /bin/sh -c cd /sbin/; cat rm > rm-cpy; cat <SAMPLE_FULL_PATH> > rm
  • /bin/sh -c cd /sbin/; cat kill > kill-cpy; cat <SAMPLE_FULL_PATH> > kill
  • /bin/sh -c cd /sbin/; cat cd > cd-cpy; cat <SAMPLE_FULL_PATH> > cd
  • /bin/sh -c export PATH=/root:$PATH
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/.~/.bash_profile
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/.~/.bashrc
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/./root/.bash_profile
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/./root/.bashrc
  • /bin/sh -c cat /root/bash > <SAMPLE_FULL_PATH> ;
  • cat /root/bash
  • /bin/sh -c cat /root/rm > <SAMPLE_FULL_PATH> ;
  • cat /root/rm
  • /bin/sh -c cat /root/kill > <SAMPLE_FULL_PATH> ;
  • cat /root/kill
  • /bin/sh -c cat /root/cd > <SAMPLE_FULL_PATH> ;
  • cat /root/cd
Kills system processes:
  • sshd
Kills the following processes:
  • <SAMPLE>
  • dhclient
  • rpcbind
  • rpc.statd
  • rpc.idmapd
  • atd
  • cron
Performs operations with the file system:
Creates or modifies files:
  • /bin/tftp-cpy
  • /bin/tftp
  • /bin/rm-cpy
  • /bin/rm
  • /bin/kill-cpy
  • /bin/kill
  • /bin/cd-cpy
  • /bin/cd
  • /sbin/tftp-cpy
  • /sbin/tftp
  • /sbin/rm-cpy
  • /sbin/rm
  • /sbin/kill-cpy
  • /sbin/kill
  • /sbin/cd-cpy
  • /sbin/cd
  • <SAMPLE_FULL_PATH>
  • /root/.~/.bash_profile
  • /root/.~/.bashrc
  • /root/./root/.bash_profile
  • /root/./root/.bashrc
Network activity:
Establishes connection:
  • 19#.##.97.85:9090
  • 15#.##.175.254:37215
  • 19#.##.175.254:37215
  • 15#.##.116.219:37215
  • 15#.###.155.191:37215
  • 41.##.212.101:37215
  • 19#.###.10.131:37215
  • 41.###.117.95:37215
  • 19#.##6.37.56:37215
  • 19#.###.157.178:37215
  • 41.###.208.191:37215
  • 15#.###.17.147:37215
  • 41.###.138.137:37215
  • 15#.##.192.237:37215
  • 15#.###.194.22:37215
  • 15#.###.164.152:37215
  • 41.##.97.75:37215
  • 41.###.20.148:37215
  • 15#.###.194.200:37215
  • 15#.##.66.228:37215
  • 41.##.222.51:37215
  • 41.###.191.172:37215
  • 41.###.207.52:37215
  • 41.###.27.46:37215
  • 41.##.195.238:37215
  • 15#.##9.1.244:37215
  • 19#.###.226.110:37215
  • 41.###.207.223:37215
  • 19#.##.9.250:37215
  • 15#.###.203.242:37215
  • 41.###.83.233:37215
  • 15#.##.96.37:37215
  • 41.##.170.250:37215
  • 41.###.107.5:37215
  • 41.##.122.135:37215
  • 41.##.181.102:37215
  • 19#.##.73.181:37215
  • 19#.##0.50.66:37215
  • 41.###.54.26:37215
  • 15#.##.139.16:37215
  • 19#.##.89.114:37215
  • 19#.##9.42.72:37215
  • 19#.###.182.117:37215
  • 41.###.76.179:37215
  • 15#.#.184.149:37215
  • 41.###.7.239:37215
  • 41.###.121.240:37215
  • 19#.##.199.216:37215
  • 19#.###.179.84:37215
  • 15#.##.71.178:37215
  • 19#.###.246.90:37215
  • 19#.###.100.27:37215
  • 41.##.113.128:37215
  • 15#.###.252.211:37215
  • 41.###.61.27:37215
  • 41.##.172.42:37215
  • 19#.##.12.207:37215
  • 19#.##9.158.6:37215
  • 19#.###.107.95:37215
  • 19#.##.176.179:37215
  • 15#.##.64.160:37215
  • 15#.###.73.185:37215
  • 41.###.17.220:37215
  • 19#.###.220.199:37215
  • 15#.###.75.100:37215
  • 19#.#.29.130:37215
  • 41.###.56.133:37215
  • 19#.##8.69.40:37215
  • 15#.###.237.222:37215
  • 41.###.239.93:37215
  • 15#.###.102.114:37215
  • 15#.###.237.152:37215
  • 41.##.159.22:37215
  • 15#.##8.24.17:37215
  • 15#.##.149.70:37215
  • 15#.###.231.189:37215
  • 15#.###.145.22:37215
  • 41.##.9.164:37215
  • 19#.##.206.32:37215
  • 15#.###.77.192:37215
  • 41.###.87.152:37215
  • 19#.##3.75.85:37215
  • 41.###.137.199:37215
  • 19#.###.230.147:37215
  • 15#.###.72.186:37215
  • 41.##.175.228:37215
  • 19#.##.139.122:37215
  • 41.###.26.165:37215
  • 19#.##.206.54:37215
  • 41.###.43.70:37215
  • 19#.##.192.158:37215
  • 19#.###.132.91:37215
  • 19#.###.141.115:37215
  • 19#.###.189.166:37215
  • 15#.##.172.117:37215
  • 41.###.122.250:37215
  • 15#.###.14.119:37215
  • 41.##.79.12:37215
  • 19#.###.99.253:37215
  • 19#.#.152.164:37215
  • 15#.#.71.157:37215
  • 41.###.222.90:37215
  • 15#.###.132.151:37215
  • 41.###.128.125:37215
  • 41.##.244.222:37215
  • 19#.###.80.100:37215
  • 41.###.75.144:37215
  • 19#.##.86.149:37215
  • 15#.##.25.162:37215
  • 41.###.150.32:37215
  • 41.###.253.200:37215
  • 41.###.0.32:37215
  • 15#.###.122.239:37215
  • 19#.##4.11.20:37215
  • 41.###.175.193:37215
  • 19#.##.146.250:37215
  • 15#.###.235.27:37215
  • 19#.###.241.146:37215
  • 15#.###.249.213:37215
  • 15#.###.70.143:37215
  • 15#.##.46.25:37215
  • 41.###.219.175:37215
  • 19#.###.164.62:37215
  • 19#.###.138.47:37215
  • 15#.###.250.72:37215
  • 41.###.128.25:37215
  • 15#.###.134.22:37215
  • 15#.##.249.106:37215
  • 19#.##.204.112:37215
  • 19#.##.15.48:37215
  • 19#.###.120.130:37215
  • 15#.##.181.162:37215
  • 15#.#.118.71:37215
  • 41.##.116.16:37215
  • 19#.###.104.160:37215
  • 15#.#.65.93:37215
  • 15#.##.31.192:37215
  • 15#.##.231.179:37215
  • 15#.###.198.117:37215
  • 15#.##.223.145:37215
  • 41.###.104.89:37215
  • 41.###.249.190:37215
  • 19#.##.240.29:37215
  • 19#.###.168.30:37215
  • 19#.###.157.51:37215
  • 41.###.21.210:37215
  • 41.###.58.46:37215
  • 15#.##.175.117:37215
  • 41.##.226.111:37215
  • 19#.###.209.196:37215
  • 19#.##3.6.10:37215
  • 41.#.#08.36:37215
  • 19#.###.83.231:37215
  • 41.##.174.94:37215
  • 19#.##.80.229:37215
  • 15#.###.54.136:37215
  • 41.##.24.189:37215
  • 15#.##9.77.61:37215
  • 41.###.252.87:37215
  • 41.##.47.149:37215
  • 15#.##.56.7:37215
  • 41.#.#5.174:37215
  • 15#.##1.25.43:37215
  • 41.##.191.156:37215
  • 15#.##.156.96:37215
  • 41.###.191.91:37215
  • 41.###.244.215:37215
  • 15#.#.50.77:37215
  • 19#.##.135.109:37215
  • 41.###.68.82:37215
  • 15#.##7.67.48:37215
  • 15#.###.39.113:37215
  • 15#.##.227.249:37215
  • 41.##.114.152:37215
  • 15#.###.110.245:37215
  • 15#.##6.91.99:37215
  • 19#.##.28.175:37215
  • 41.###.220.251:37215
  • 41.###.84.254:37215
  • 15#.###.110.196:37215
  • 15#.##.166.22:37215
  • 41.##.159.148:37215
  • 41.##.35.176:37215
  • 19#.##.150.27:37215
  • 15#.###.179.93:37215
  • 41.###.50.1:37215
  • 15#.###.246.151:37215
  • 41.###.108.42:37215
  • 19#.##.37.170:37215
  • 15#.##.205.5:37215
  • 15#.##.156.188:37215
  • 19#.##.96.181:37215
  • 41.##.180.198:37215
  • 19#.##.102.167:37215
  • 41.###.225.255:37215
  • 19#.##6.8.13:37215
  • 41.###.35.248:37215
  • 19#.###.226.241:37215
  • 15#.###.201.187:37215
  • 19#.###.254.232:37215
  • 15#.###.79.236:37215
  • 15#.##.82.29:37215
  • 19#.###.233.70:37215
  • 19#.##.144.253:37215
  • 19#.###.81.162:37215
  • 41.###.187.125:37215
  • 19#.##.10.187:37215
  • 19#.###.158.20:37215
  • 15#.##.34.198:37215
  • 41.##.42.1:37215
  • 19#.###.136.74:37215
  • 19#.##.186.160:37215
  • 41.##.26.231:37215
  • 15#.##9.57.89:37215
  • 19#.##.226.21:37215
  • 15#.###.221.255:37215
  • 19#.##.194.55:37215
  • 19#.###.130.95:37215
  • 15#.###.199.218:37215
  • 19#.###.46.122:37215
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
  • 19#.##.97.85:9090
Receives data from the following servers:
  • 19#.##.97.85:9090
Other:
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040