My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2013-08-14

Virus description added:

A multicomponent Trojan for Linux. Once launched, it checks whether its process or a virtual machine are already running in the system. By creating the autorun file (for example, ~/.config/autostart/system-firewall.<string>.desktop) and copying itself to a disk folder (for example, ~/.config/.System_Firewall/system-firewall.<string>.config), the Trojan gets installed on the system. In the temporary folder, the malware creates an executable library and tries to inject this library into running processes. If the attempt fails, Linux.Hanthie runs a new executable file that resides in a temporary folder and is responsible for communication with the server. After that, the Trojan deletes the original copy of the file.

Into Firefox, Google Chrome, Opera, Chromium, and Ice Weasel, the Trojan embeds a grabber that intercepts information transferred via HTTP and HTTPS protocols and sends cybercriminals the data entered by the user into various forms. Linux.Hanthie can execute the following commands:

  • socks—start a proxy server,
  • bind—run a port listener script,
  • bc—connect to the command and control server,
  • update—download and install updates,
  • rm—remove itself.

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number