Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Mirai.3085

Added to the Dr.Web virus database: 2019-07-21

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • /bin/busybox
Launches processes:
  • /bin/sh -c cd /bin/; cat tftp > tftp-cpy; cat <SAMPLE_FULL_PATH> > tftp
  • cat tftp
  • cat <SAMPLE_FULL_PATH>
  • /bin/sh -c cd /bin/; cat rm > rm-cpy; cat <SAMPLE_FULL_PATH> > rm
  • cat rm
  • /bin/sh -c cd /bin/; cat kill > kill-cpy; cat <SAMPLE_FULL_PATH> > kill
  • cat kill
  • /bin/sh -c cd /bin/; cat cd > cd-cpy; cat <SAMPLE_FULL_PATH> > cd
  • cat cd
  • /bin/sh -c cd /sbin/; cat tftp > tftp-cpy; cat <SAMPLE_FULL_PATH> > tftp
  • /bin/sh -c cd /sbin/; cat rm > rm-cpy; cat <SAMPLE_FULL_PATH> > rm
  • /bin/sh -c cd /sbin/; cat kill > kill-cpy; cat <SAMPLE_FULL_PATH> > kill
  • /bin/sh -c cd /sbin/; cat cd > cd-cpy; cat <SAMPLE_FULL_PATH> > cd
  • /bin/sh -c export PATH=/root:$PATH
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/.~/.bash_profile
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/.~/.bashrc
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/./root/.bash_profile
  • /bin/sh -c echo -ne 'export PATH=/root:$PATH' >> ~/./root/.bashrc
Kills the following processes:
  • agetty
Performs operations with the file system:
Creates or modifies files:
  • /bin/tftp-cpy
  • /bin/tftp
  • /bin/rm-cpy
  • /bin/rm
  • /bin/kill-cpy
  • /bin/kill
  • /bin/cd-cpy
  • /bin/cd
  • /sbin/tftp-cpy
  • /sbin/tftp
  • /sbin/rm-cpy
  • /sbin/rm
  • /sbin/kill-cpy
  • /sbin/kill
  • /sbin/cd-cpy
  • /sbin/cd
  • <SAMPLE_FULL_PATH>
  • /root/.~/.bash_profile
  • /root/.~/.bashrc
  • /root/./root/.bash_profile
  • /root/./root/.bashrc
Network activity:
Establishes connection:
  • 19#.##.97.85:9090
  • 25#.###.255.255:9090
  • 15#.###.169.254:37215
  • 19#.###.169.254:37215
  • 15#.###.62.233:37215
  • 15#.###.113.144:37215
  • 41.###.90.223:37215
  • 19#.#.202.48:37215
  • 41.###.237.60:37215
  • 19#.###.153.34:37215
  • 19#.###.154.196:37215
  • 41.##.188.243:37215
  • 15#.##.76.235:37215
  • 41.##.28.189:37215
  • 15#.##.207.77:37215
  • 15#.##.90.152:37215
  • 15#.###.105.96:37215
  • 41.##.9.189:37215
  • 41.###.100.194:37215
  • 15#.##.124.240:37215
  • 15#.##.227.37:37215
  • 41.###.24.109:37215
  • 41.###.149.143:37215
  • 41.###.220.174:37215
  • 41.###.25.98:37215
  • 41.##.242.128:37215
  • 15#.#.100.92:37215
  • 19#.###.87.227:37215
  • 41.##.20.75:37215
  • 19#.##4.79.83:37215
  • 15#.##.55.190:37215
  • 41.#.#78.213:37215
  • 15#.###.209.153:37215
  • 41.###.3.56:37215
  • 41.###.69.165:37215
  • 41.###.155.183:37215
  • 41.###.2.224:37215
  • 19#.###.244.26:37215
  • 19#.##.75.126:37215
  • 41.###.234.219:37215
  • 15#.##.229.245:37215
  • 19#.##.196.53:37215
  • 19#.##1.1.179:37215
  • 19#.###.50.245:37215
  • 41.###.68.244:37215
  • 15#.##4.5.62:37215
  • 41.###.42.194:37215
  • 41.##.199.125:37215
  • 19#.##.20.99:37215
  • 19#.##.187.107:37215
  • 15#.###.200.116:37215
  • 19#.##.219.225:37215
  • 19#.##6.17.23:37215
  • 41.##.88.48:37215
  • 15#.###.135.165:37215
  • 41.###.98.63:37215
  • 41.###.99.149:37215
  • 19#.##.171.26:37215
  • 19#.##.152.49:37215
  • 19#.###.196.71:37215
  • 19#.##.52.237:37215
  • 15#.###.230.15:37215
  • 15#.##0.49.58:37215
  • 41.#.#8.85:37215
  • 19#.##.73.12:37215
  • 15#.###.174.83:37215
  • 19#.##1.89.49:37215
  • 41.###.78.103:37215
  • 19#.###.195.247:37215
  • 15#.###.135.196:37215
  • 41.###.193.45:37215
  • 15#.##.255.241:37215
  • 15#.###.140.250:37215
  • 41.###.156.63:37215
  • 15#.###.200.203:37215
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
  • 19#.##.97.85:9090
Receives data from the following servers:
  • 19#.##.97.85:9090
Other:
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040