Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/init.d/VsystemsshMdt
- /etc/init.d/selinux
Creates or modifies the following symlinks:
- /etc/rc1.d/S97VsystemsshMdt"
- /etc/rc2.d/S97VsystemsshMdt"
- /etc/rc3.d/S97VsystemsshMdt"
- /etc/rc4.d/S97VsystemsshMdt"
- /etc/rc5.d/S97VsystemsshMdt"
- /etc/rc1.d/S99selinux"
- /etc/rc2.d/S99selinux"
- /etc/rc3.d/S99selinux"
- /etc/rc4.d/S99selinux"
- /etc/rc5.d/S99selinux"
Malicious functions:
Launches itself as a daemon
Replaces the following system files:
- /bin/netstat
- /bin/ps
- /usr/bin/lsof
Launches processes:
- sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
- ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
- sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
- ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
- sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
- ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
- sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
- ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
- sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
- ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
- sh -c mkdir -p /usr/bin/bsd-port
- mkdir -p /usr/bin/bsd-port
- sh -c cp -f <SAMPLE_FULL_PATH> /usr/bin/bsd-port/knerl
- cp -f <SAMPLE_FULL_PATH> /usr/bin/bsd-port/knerl
- sh -c /usr/bin/bsd-port/knerl
- /usr/bin/bsd-port/knerl
- sh -c mkdir -p /usr/bin
- mkdir -p /usr/bin
- sh -c cp -f <SAMPLE_FULL_PATH> /usr/bin/pythno
- cp -f <SAMPLE_FULL_PATH> /usr/bin/pythno
- sh -c /usr/bin/pythno
- /usr/bin/pythno
- sh -c insmod /usr/lib/xpacket.ko
- insmod /usr/lib/xpacket.ko
- sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
- sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
- sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
- sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
- sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
- ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
- sh -c mkdir -p /usr/bin/dpkgd
- mkdir -p /usr/bin/dpkgd
- sh -c cp -f /bin/netstat /usr/bin/dpkgd/netstat
- cp -f /bin/netstat /usr/bin/dpkgd/netstat
- sh -c mkdir -p /bin
- mkdir -p /bin
- sh -c cp -f /usr/bin/bsd-port/knerl /bin/netstat
- cp -f /usr/bin/bsd-port/knerl /bin/netstat
- sh -c chmod 0755 /bin/netstat
- chmod 0755 /bin/netstat
- sh -c cp -f /bin/ps /usr/bin/dpkgd/ps
- cp -f /bin/ps /usr/bin/dpkgd/ps
- sh -c cp -f /usr/bin/bsd-port/knerl /bin/ps
- cp -f /usr/bin/bsd-port/knerl /bin/ps
- sh -c chmod 0755 /bin/ps
- chmod 0755 /bin/ps
- sh -c cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof
- cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof
- sh -c cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
- cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
- sh -c chmod 0755 /usr/bin/lsof
- chmod 0755 /usr/bin/lsof
Performs operations with the file system:
Modifies file access rights:
- /bin/netstat
- /bin/ps
- /usr/bin/lsof
Creates folders:
- /usr/bin/bsd-port
- /usr/bin/dpkgd
Creates or modifies files:
- /root/vga.conf
- /usr/bin/bsd-port/knerl
- /tmp/notify.file
- /usr/bin/pythno
- /usr/bin/bsd-port/knerl.conf
- /root/conf.n
- /usr/bin/dpkgd/netstat
- /usr/bin"/idus.log
- /root/idus.log
- /usr/bin/dpkgd/ps
- /usr/bin/dpkgd/lsof
Deletes files:
- /root/apsh.conf"
- /usr/bin/bsd-port/udevd.conf"
- /tmp/notify.file"
Network activity:
Establishes connection:
- 11#.##.197.229:685
DNS ASK:
- td####10.gnway.cc
- sh###aozhe.com
Sends data to the following servers:
- 11#.##.197.229:685
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity