My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2016-01-15

Virus description added:


  • 3790284950a986bc28c76b5534bfe9cea1dd78b0

Malware for Linux designed to take screenshots every 30 seconds. It can upload the /tmp folder to the server and download various files upon cybercriminals’ command.

Once launched, it checks for the following files:

  • $HOME/$DATA/.mozilla/firefox/profiled
  • $HOME/$DATA/.dropbox/DropboxCache

where $DATA = QStandardPaths::writableLocation(QStandardPaths::GenericDataLocation)

It the specified files are not found, the Trojan saves its own copy named as one of the mentioned files randomly chosen. Then, the copy is launched from a new directory. The Trojan’s body has the RSA key that is used to obtain the AES session key. If the launch is successful, Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data.

The Trojan exchanges data with the server using AbNetworkMessage. The id line determines the executed action:

idAction performed
0xff9cInstalls the AES key.
0xff9bSets up a proxy to connect to the server.
0xff93Creates a downloader object. The body of the message contains transactionId. A randomly named file is created.
0xff92The file body and transactionId are sent. Then, the file is saved, and the downloader object is removed.
0xff94 Launches onCommand that, in turn, creates the SearchAndUploadFiles object. Probably, this function is not implemented as the run() method in a new thread returns control immediately.
0xff98Is received as an answer to UploadRequest sent by the Trojan.
0xff99OnBotServiceControl. Turns a specified service on/off.
0xff9ainfoClassesRequest. Sends services status.

UploadRequest creates the separate AbUploaderThread thread where all files from the /tmp folder are uploaded to the server. The full path to them takes more than 31 bytes.

The Trojan launches the following services:


It saves the following information to the $HOME/.config/autostart/%exename%.desktop file:

[Desktop Entry]

Then, it checks for this file in infinite loop. If the file is not found, it is created once again.


Every 30 seconds the service takes a screenshot and saves it to a temporal folder in the JPEG format with a name in the ss%d-%s.sst format, where %s is a timestamp. If the file is not saved, the Trojan tries to save it in the BMP format.


It generates a filtering list for the "aa*.aat", "dd*ddt", "kk*kkt", "ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.

Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format. However, in fact, this feature is not used anywhere.

News about the Trojan

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number