Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Linux.BackDoor.Tsunami.1114

Added to the Dr.Web virus database: 2019-08-09

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
  • sh -c (crontab -l| grep -v c855a922; echo \"*/10 * * * * /root/c855a922 >/dev/null 2>&1\") | crontab -
  • crontab -
  • crontab -l
  • grep -v c855a922
  • /root/c855a922
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.NSdmqp
Creates or modifies files:
  • <SAMPLE_FULL_PATH>
  • /var/spool/cron/crontabs/tmp.NSdmqp
Network activity:
Connects to the following servers over the IRC protocol:
  • Server: 13#.#4.146.42; Command: NICK RT-RED-i686-c855a922-DOSRSHZ\nUSER Linux localhost localhost :box-i386 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17)\n
  • Server: 13#.#4.146.42; Command: MODE RT-RED-i686-c855a922-DOSRSHZ -xi\n
  • Server: 13#.#4.146.42; Command: JOIN #TM :bleh\n
DNS ASK:
  • ww##.omfg.pw

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number