My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2024-04-13

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • systemd
Launches processes:
  • /bin/sh /usr/bin/which httpd
  • which apache2
  • which httpd
  • crontab -
  • /usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --dport 50610 -j ACCEPT
  • crontab -r
  • command -v php >/dev/null 2>&1
  • crontab -r >/dev/null 2>&1; echo \x22@reboot <SAMPLE_FULL_PATH>\x22 | crontab -
  • /bin/sh /usr/bin/which apache2
  • command -v crontab >/dev/null 2>&1
  • command -v nginx >/dev/null 2>&1
  • iptables -I INPUT -p tcp --dport 50610 -j ACCEPT >/dev/null 2>&1
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.qpRRGz
Creates or modifies files:
  • /var/spool/cron/crontabs/tmp.qpRRGz
Changes time of creation/access/modification of files:
  • /var/spool/cron/crontabs

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number