Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Linux.Packed.317

Added to the Dr.Web virus database: 2019-02-25

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/init.d/watchdogs
  • /etc/cron.d/root
  • /var/spool/cron/crontabs/root
Malicious functions:
Compiles a program from source codes:
  • gcc /usr/local/lib/libioset.c -Wall -shared -fPIC -ldl -o /usr/local/lib/libioset.so
Launches processes:
  • /bin/bash -c chattr -i /etc/ld.so.preload
  • chattr -i /etc/ld.so.preload
  • /bin/bash -c chattr -i /usr/local/lib/libioset.so
  • chattr -i /usr/local/lib/libioset.so
  • /bin/bash -c cp /tmp/watchdogs /usr/sbin/watchdogs
  • cp /tmp/watchdogs /usr/sbin/watchdogs
  • /bin/bash -c mkdir -p /etc/init.d
  • mkdir -p /etc/init.d
  • /bin/bash -c chkconfig --add watchdogs
  • /bin/bash -c chattr -i /tmp/watchdogs
  • chattr -i /tmp/watchdogs
  • /bin/bash -c chattr -i /tmp/ksoftirqds
  • chattr -i /tmp/ksoftirqds
  • /bin/bash -c chattr -i /tmp/config.json
  • chattr -i /tmp/config.json
  • /bin/bash -c chattr -i /tmp/.systemd-private-22Cc8eddcc2e4730bb9fd6cf2f6e11a2-ntpd.service-6GtzMk
  • chattr -i /tmp/.systemd-private-22Cc8eddcc2e4730bb9fd6cf2f6e11a2-ntpd.service-6GtzMk
  • /bin/bash -c chattr -i /tmp/.systemd-private-287c367xd1f24bf5bc27dsb537c15dab-ntpd.service-x8KcNS
  • chattr -i /tmp/.systemd-private-287c367xd1f24bf5bc27dsb537c15dab-ntpd.service-x8KcNS
  • /bin/bash -c chattr -i /tmp/.systemd-private-802aa11cad53474fbe3aee5b763fc6x8-ntpd.service-cpvyP6
  • chattr -i /tmp/.systemd-private-802aa11cad53474fbe3aee5b763fc6x8-ntpd.service-cpvyP6
  • /bin/bash -c mkdir -p /usr/local/lib
  • mkdir -p /usr/local/lib
  • /bin/bash -c gcc /usr/local/lib/libioset.c -Wall -shared -fPIC -ldl -o /usr/local/lib/libioset.so
  • /bin/bash -c chattr -i /usr/local/lib/libioset.c
  • chattr -i /usr/local/lib/libioset.c
  • /bin/bash -c mkdir -p /var/spool/cron/crontabs
  • mkdir -p /var/spool/cron/crontabs
  • /bin/bash -c mkdir -p /tmp && chmod 1777 /tmp
  • mkdir -p /tmp
  • chmod 1777 /tmp
  • /bin/bash -c nohup /tmp/ksoftirqds >/dev/null 2>&1 &
  • nohup /tmp/ksoftirqds
  • /tmp/ksoftirqds
Performs operations with the file system:
Modifies file access rights:
  • /usr/local/lib/libioset.so
  • /tmp
Creates or modifies files:
  • /tmp/.lsdpid
  • /usr/local/lib/libioset.c
  • /tmp/ccqUTgGi.s
  • /tmp/ccsSykfr.o
  • /tmp/ccCUTULA.res
  • /tmp/ccYto5zs.c
  • /tmp/cctPH3nC.o
  • /tmp/ccMCeqcM.ld
  • /tmp/ccv9c10V.le
  • /usr/local/lib/libioset.so
  • /etc/ld.so.preload
  • /var/spool/cron/root
  • /tmp/ksoftirqds
Deletes files:
  • /etc/ld.so.preload
  • /usr/local/lib/libioset.so
  • /tmp/watchdogs
  • /tmp/ksoftirqds
  • /tmp/config.json
  • /tmp/.systemd-private-22Cc8eddcc2e4730bb9fd6cf2f6e11a2-ntpd.service-6GtzMk
  • /tmp/.systemd-private-287c367xd1f24bf5bc27dsb537c15dab-ntpd.service-x8KcNS
  • /tmp/.systemd-private-802aa11cad53474fbe3aee5b763fc6x8-ntpd.service-cpvyP6
  • /tmp/ccMCeqcM.ld
  • /tmp/ccv9c10V.le
  • /tmp/ccYto5zs.c
  • /tmp/cctPH3nC.o
  • /tmp/ccCUTULA.res
  • /tmp/ccsSykfr.o
  • /tmp/ccqUTgGi.s
  • /usr/local/lib/libioset.c
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 17#.#8.123.25:9
  • [2########::f03c:91ff:fe70:2b9d]:9
  • 19#.##8.218.0:22
  • <LOCAL_GATE>:22
HTTP GET requests:
  • id##t.me/
DNS ASK:
  • id##t.me
Sends data to the following servers:
  • <LOCAL_GATE>:22
Receives data from the following servers:
  • <LOCAL_GATE>:22
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number