Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Packed.561

Added to the Dr.Web virus database: 2019-08-14

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/init.d/developer
  • /etc/init.d/rcS_bak
  • /etc/init.d/rcS
  • /etc/rc.local
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • GNU
Modifies firewall settings:
  • /sbin/iptables -F
  • /sbin/iptables -X
Manages services:
  • service iptables stop
  • systemctl stop iptables.service
  • service firewalld stop
  • systemctl stop firewalld.service
Launches processes:
  • sh -c rm -rf /tmp/* /var/tmp/*
  • rm -rf /tmp/* /var/tmp/*
  • sh -c echo 0>/var/log/wtmp
  • sh -c rm -rf /bin/netstat
  • rm -rf /bin/netstat
  • sh -c echo 0>/var/log/secure
  • sh -c service iptables stop
  • sh -c /sbin/iptables -F; /sbin/iptables -X
  • sh -c service firewalld stop
  • sh -c rm -rf ~/.bash_history
  • rm -rf /root/.bash_history
  • sh -c history -c
  • sh -c mount -o bind /tmp /proc/730
  • sh -c /bin/busybox cp <SAMPLE_FULL_PATH> /usr/sbin/developer
  • mount -o bind /tmp /proc/730
  • /bin/busybox cp <SAMPLE_FULL_PATH> /usr/sbin/developer
  • sh -c /bin/busybox cp <SAMPLE_FULL_PATH> /etc/init.d/developer
  • sh -c umount /proc/*
  • /bin/busybox cp <SAMPLE_FULL_PATH> /etc/init.d/developer
  • sh -c /bin/busybox cp /etc/init.d/rcS /etc/init.d/rcS_bak
  • umount /proc/1 /proc/10 /proc/11 /proc/12 /proc/13 /proc/131 /proc/14 /proc/140 /proc/143 /proc/15 /proc/16 /proc/163 /proc/166 /proc/167 /proc/17 /proc/18 /proc/19 /proc/2 /proc/20 /proc/21 /proc/22 /proc/23 /proc/29 /proc/3 /proc/30 /proc/31 /proc/32 /proc/353 /proc/374 /proc/383 /proc/388 /proc/391 /proc/398 /proc/399 /proc/4 /proc/400 /proc/401 /proc/403 /proc/405 /proc/408 /proc/409 /proc/445 /proc/449 /proc/5 /proc/6 /proc/66 /proc/669 /proc/67 /proc/68 /proc/682 /proc/684 /proc/687 /proc/688 /proc/69 /proc/7 /proc/70 /proc/71 /proc/72 /proc/730 /proc/735 /proc/736 /proc/737 /proc/74 /proc/77 /proc/8 /proc/9 /proc/98 /proc/99 /proc/acpi /proc/buddyinfo /proc/bus /proc/cgroups /proc/cmdline /proc/consoles /proc/cpuinfo /proc/crypto /pro[rkmodule] [sh][PPID:0x2e0] [sh][PID:0x2e3] do_filp_open. Filename: \"/bin/umount\
  • /bin/busybox cp /etc/init.d/rcS /etc/init.d/rcS_bak
  • sh -c /bin/busybox echo '/usr/sbin/developer self.load' >> /etc/init.d/rcS
  • /bin/busybox echo /usr/sbin/developer self.load
  • sh -c /bin/busybox echo '/etc/init.d/developer self.load' >> /etc/init.d/rcS
  • /bin/busybox echo /etc/init.d/developer self.load
  • sh -c echo '/usr/sbin/developer self.load' >> /etc/rc.local
  • sh -c echo '/etc/init.d/developer self.load' >> /etc/rc.local
  • sh -c /sbin/chkconfig --add mashiro
  • /sbin/chkconfig --add mashiro
  • sh -c setenforce 0
  • sh -c mount -o bind /tmp /proc/750
  • sh -c mount -o bind /tmp /proc/752
  • sh -c mount -o bind /tmp /proc/751
  • sh -c mount -o bind /tmp /proc/753
  • mount -o bind /tmp /proc/750
  • mount -o bind /tmp /proc/752
  • mount -o bind /tmp /proc/751
  • mount -o bind /tmp /proc/753
  • sh -c mount -o bind /tmp /proc/762
  • sh -c mount -o bind /tmp /proc/763
  • sh -c mount -o bind /tmp /proc/764
  • mount -o bind /tmp /proc/763
  • mount -o bind /tmp /proc/762
  • mount -o bind /tmp /proc/764
Performs operations with the file system:
Creates or modifies files:
  • /var/log/wtmp
  • /var/log/secure
  • /usr/sbin/developer
  • /run/mount/utab
Deletes files:
  • /tmp/*
  • /var/tmp/*
  • /bin/netstat
  • /root/.bash_history
  • /
Mounts file systems:
  • /tmp
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:13219
Establishes connection:
  • 8.#.8.8:53
  • 1.#.0.1:53
  • 18.###.226.29:42022
  • 1.#.1.1:53
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
  • sh####.ilove26.cf
Sends data to the following servers:
  • 18.###.226.29:42022

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number