Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.MulDrop.47

Added to the Dr.Web virus database: 2020-02-19

Virus description added:

Technical Information

Malicious functions:
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • clear
  • sleep 2
  • useradd -m -p 48942 linuxkurulum
  • nscd -i passwd
  • nscd -i group
  • rm -fr /home/linuxkurulum
  • mkdir .linuxkurulum
  • dpkg --configure -a
  • apt-get -qq update
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
  • /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.EPAVBt /tmp/apt.data.5qqU3U
  • /usr/lib/apt/methods/gzip
  • /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.bSBF2o /tmp/apt.data.qMGUPS
  • /usr/lib/apt/methods/bzip2
  • /usr/bin/gpgv --ignore-time-conflict --status-fd 3 --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
  • /usr/lib/apt/methods/xz
Kills the following processes:
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
  • /usr/lib/apt/methods/gzip
  • /usr/lib/apt/methods/bzip2
  • /usr/lib/apt/methods/xz
Performs operations with the file system:
Modifies file access rights:
  • /home/linuxkurulum
  • /home/linuxkurulum/.bashrc
  • /home/linuxkurulum/.bash_logout
  • /home/linuxkurulum/.profile
  • /etc/passwd+
  • /etc/shadow+
  • /etc/group+
  • /etc/gshadow+
  • /etc/subuid+
  • /etc/subgid+
  • /var/lib/dpkg/status-new
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz.decomp.5r1ikf
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz.decomp.wSPHwL
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en.bz2.decomp.h3wYsZ
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp.MTvnXz
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_main_source_Sources
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2.decomp.3aRG0g
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_main_source_Sources.xz.decomp.QtEU8r
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_i18n_Translation-en.bz2.decomp.7AuuVd
Creates folders:
  • /home/linuxkurulum
  • /home/.linuxkurulum
Creates symlinks:
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/shadow.lock
  • /var/lib/dpkg/status-old
Creates or modifies files:
  • /etc/.pwd.lock
  • /etc/passwd.711
  • /etc/group.711
  • /etc/gshadow.711
  • /etc/subuid.711
  • /etc/subgid.711
  • /etc/shadow.711
  • /var/log/faillog
  • /var/log/lastlog
  • /home/linuxkurulum/.bashrc
  • /home/linuxkurulum/.bash_logout
  • /home/linuxkurulum/.profile
  • /etc/passwd-
  • /etc/passwd+
  • /etc/shadow-
  • /etc/shadow+
  • /etc/group-
  • /etc/group+
  • /etc/gshadow-
  • /etc/gshadow+
  • /etc/subuid-
  • /etc/subuid+
  • /etc/subgid-
  • /etc/subgid+
  • /var/lib/dpkg/lock
  • /var/lib/dpkg/updates/tmp.i
  • /var/lib/dpkg/triggers/Lock
  • /var/log/dpkg.log
  • /var/lib/dpkg/status-new
  • /var/lib/apt/lists/lock
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
  • /tmp/apt.sig.EPAVBt
  • /tmp/apt.data.5qqU3U
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
  • /tmp/fileutl.message.kLS0C8
  • /tmp/fileutl.message.kLS0C8 (deleted)
  • /tmp/apt.sig.bSBF2o
  • /tmp/apt.data.qMGUPS
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz.decomp.5r1ikf
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources.gz.decomp
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz.decomp.wSPHwL
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.gz.decomp
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en.bz2
  • /tmp/fileutl.message.ZezVpG
  • /tmp/fileutl.message.ZezVpG (deleted)
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en.bz2.decomp.h3wYsZ
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en.bz2.decomp
  • /tmp/fileutl.message.i8Vqcg
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_main_source_Sources.xz
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp.MTvnXz
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_i18n_Translation-en.bz2
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2.decomp
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2.decomp.3aRG0g
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_main_source_Sources.xz.decomp.QtEU8r
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_main_binary-amd64_Packages.xz
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_main_i18n_Translation-en.bz2
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages.bz2.decomp
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_i18n_Translation-en.bz2.decomp.7AuuVd
Deletes files:
  • /etc/passwd.711
  • /etc/group.711
  • /etc/gshadow.711
  • /etc/subuid.711
  • /etc/subgid.711
  • /etc/shadow.711
  • /etc/shadow.lock
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /home/.bashrc
  • /home/.bash_logout
  • /home/.profile
  • /var/lib/dpkg/status-old
  • /var/lib/dpkg/updates/tmp.i
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /tmp/apt.sig.EPAVBt
  • /tmp/apt.data.5qqU3U
  • /tmp/fileutl.message.kLS0C8
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_source_Sources
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages
  • /tmp/apt.sig.bSBF2o
  • /tmp/apt.data.qMGUPS
  • /tmp/fileutl.message.ZezVpG
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en
  • /tmp/fileutl.message.i8Vqcg
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_binary-amd64_Packages
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 21#.##1.132.250:80
  • [2#########:1:216:35ff:fe7f:6ceb]:80
  • [2#######8:dc41:100::233]:80
  • [2#####e42:14::204]:80
HTTP GET requests:
  • ft#.##.######.org/debian/dists/jessie/InRelease
  • se######.#####n.org/dists/jessie/updates/InRelease
  • ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
  • se##########.##bian.org/dists/jessie/updates/InRelease
  • ft#.##.######.org/debian/dists/jessie/Release.gpg
  • ft#.##.######.org/debian/dists/jessie/Release
  • ft#.##.######.#####ebian/dists/jessie-updates/main/source/Sources.gz
  • ft#.##.######.######bian/dists/jessie-updates/main/binary-amd64/Packages.gz
  • ft#.##.######.######bian/dists/jessie-updates/main/i18n/Translation-en.bz2
  • se######.######.##g/dists/jessie/updates/main/source/Sources.bz2
  • se######.######.###/dists/jessie/updates/main/binary-amd64/Packages.bz2
  • se##########.######.org/dists/jessie/updates/main/source/Sources.bz2
  • ft#.##.######.###/debian/dists/jessie/main/source/Sources.xz
  • se######.######.###/dists/jessie/updates/main/i18n/Translation-en.bz2
  • se##########.######.org/dists/jessie/updates/main/binary-amd64/Packages.bz2
  • se##########.######.org/dists/jessie/updates/main/i18n/Translation-en.bz2
  • ft#.##.######.####debian/dists/jessie/main/binary-amd64/Packages.xz
  • ft#.##.######.####debian/dists/jessie/main/i18n/Translation-en.bz2
DNS ASK:
  • ft#.##.debian.org
  • se####ty.debian.org
  • se#####y-cdn.debian.org
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040