Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c (crontab -l| grep -v c855a922; echo \"*/10 * * * * /root/c855a922 >/dev/null 2>&1\") | crontab -
- crontab -
- crontab -l
- grep -v c855a922
- /root/c855a922
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.NSdmqp
Creates or modifies files:
- <SAMPLE_FULL_PATH>
- /var/spool/cron/crontabs/tmp.NSdmqp
Network activity:
Connects to the following servers over the IRC protocol:
- Server: 13#.#4.146.42; Command: NICK RT-RED-i686-c855a922-DOSRSHZ\nUSER Linux localhost localhost :box-i386 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17)\n
- Server: 13#.#4.146.42; Command: MODE RT-RED-i686-c855a922-DOSRSHZ -xi\n
- Server: 13#.#4.146.42; Command: JOIN #TM :bleh\n
DNS ASK:
- ww##.omfg.pw