Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2014-05-05

Virus description added:

A Trojan designed to carry out DDoS attacks on 32-bit versions of Linux. It is similar to other malicious programs belonging to the Linux.DnsAmp family.

Once launched, this Trojan automatically registers itself in the OS autorun list by modifying the etc/rc.d/rc.local file. Then the Trojan creates two threads. Though each of these threads executes the same actions, they employ different command and control servers for their work.

Once the connection to the command and control server is established, the Trojan starts gathering information about the infected system. This information can include the following data:

  • OS name and version
  • Free memory and Swap cache space
  • CPU frequency
  • Data from the dosset.dtdb file (the data is written in the file after a corresponding command is received from the command and control server)

The data acquired by the Trojan is forwarded to the remote command and control server. Then the malware awaits further commands. If the Trojan cannot receive a command, it gathers additional information and sends it to the command and control server.

The Trojan can execute the following commands:

0x88Launch a DDoS attack.
0x99Terminate a DDoS attack.
0x4DEEnter the data in the dosset.dtdb file.
0x6AFUpdate itself.
0xFF1Close the connection with the command and control server.
0x5DDRestart execution of actions once the command and control server address is determined.

A DDoS attack command looks as follows:

560Victim’s IP or domain (C string)
48Number of threads used for the attack
40Attack type

Trojans belonging to this group can launch the following attacks:

  • SYN Flood (repetitive sending of a specially generated package to the attacked host until the host stops responding)
  • UDP Flood (after establishing a connection to the attacked host over the UDP protocol, the Trojan attempts to send the victim 1,000 messages)
  • Ping Flood (an echo request with the process PID as an identifier is generated over the ICMP protocol (data is the HEX value 0xA1B0A1B0))
  • Sending requests to DNS servers (DNS Amplification)
  • Sending requests to NTP servers (NTP Amplification—implemented, but not used, in the older versions of the Trojan)
  • DDoS attack on a DNS server

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124