My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2023-10-08

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
  • /root/.ssh/authorized_keys
Launches processes:
  • chattr -ia ~/.xmrig.json;lockr -ia ~/.xmrig.json; rm -rf ~/.xmrig.json; chattr -ia ~/.config/xmrig.json; lockr -ia ~/.config/xmrig.json; rm -rf ~/.config/xmrig.json
  • mkdir .ssh
  • chattr -ia /root/.xmrig.json
  • chattr -ia /root/.config/xmrig.json
  • chmod -R go= /root/.ssh
  • rm -rf /root/.config/xmrig.json
  • rm -rf .ssh
  • rm -rf /root/.xmrig.json
  • cd ~ && rm -rf .ssh && mkdir .ssh && echo \x22ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJA
Performs operations with the file system:
Modifies file access rights:
  • /root/.ssh
  • /root/.ssh/authorized_keys
Creates folders:
  • /root/.ssh
Creates or modifies files:
  • /root/cert_key.pem
  • /root/cert.pem
  • /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
Network activity:
Establishes connection:
  • 17#.##.139.84:80
Sends data to the following servers:
  • 17#.##.139.84:80
Receives data from the following servers:
  • 17#.##.139.84:80
Collects CPU information
Collects RAM information

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number