Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- hrm0nfvatk63
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:21065
Establishes connection:
- 8.#.8.8:53
- 20#.###.251.223:25009
- 69.###.117.55:23
- 20#.##7.155.142:23
- 14#.##3.65.42:23
- 14#.##8.190.195:23
- 12#.##4.226.34:23
- 22#.##6.137.185:23
- 66.###.183.123:23
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Connects to the following servers over the IRC protocol:
- Server: 10#.#52.234.53; Command: USER1
- Server: 10#.#52.234.53; Command: \n
- Server: 10#.#52.234.53; Command: 0937795500
- Server: 10#.#52.234.53; Command: enable
- Server: 10#.#52.234.53; Command: development
- Server: 10#.#52.234.53; Command: system
- Server: 10#.#52.234.53; Command: shell
- Server: 10#.#52.234.53; Command: sh
- Server: 10#.#52.234.53; Command: runshellcmd
- Server: 10#.#52.234.53; Command: linuxshell
- Server: 10#.#52.234.53; Command: start start-shell
- Server: 10#.#52.234.53; Command: start-shell
- Server: 10#.#52.234.53; Command: start-shell bash
- Server: 10#.#52.234.53; Command: ping ; sh
- Server: 10#.#52.234.53; Command: vshell
- Server: 10#.#52.234.53; Command: config terminal
- Server: 10#.#52.234.53; Command: busybox DNXFCOW
- Server: 10#.#52.234.53; Command: /bin/busybox DNXFCOW
DNS ASK:
- ns.##berium.cc
Sends data to the following servers:
- 13#.##2.52.210:23
- 12#.##6.56.201:23
- 67.###.49.163:23
- 24#.##9.200.90:23
- 16#.##0.215.109:23
- 65.###.197.232:23
- 63.##.224.247:23
- 53.###.149.88:23
- 9.###.216.211:23
- 20#.###.251.223:25009
- 12#.##4.226.34:23
- 66.###.183.123:23
Receives data from the following servers:
- 20#.###.251.223:25009