My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2015-07-16

Virus description added:


  • 04c467b82ee5f06ed6987849e7b32a15c087b9c3 (unpacked)
  • 4ef259d95dc0b1bc52edb79aff661876b4f4be84 (packed)

A Trojan designed to infect routers running Linux. It serves the only purpose—to brute-force router access passwords. If the hacking attempt is successful, the Trojan uploads a malicious script that, in turn, downloads and installs backdoors based on the router architecture (ARM, MIPS, or PowerPC).

Once launched, the Trojan receives operating parameters that determine the attack type and the range of IP addresses to scan. The following User-Agent value is used for the attack:


The malicious program can carry out the following attacks:

  • Attack on Linksys routers exploiting a vulnerability in HNAP (Home Network Administration Protocol)
  • Attack on Linksys routers exploiting the CVE-2013-2678 vulnerability
  • Attack exploiting the ShellShock vulnerability (CVE-2014-6271)
  • Attack exploiting a vulnerability in the Fritz!Box routers' subsystem of remote command call

Files uploaded by malicious scripts to the infected device are detected by Dr.Web as Linux.BackDoor.Tsunami.133 and Linux.BackDoor.Tsunami.144.

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number