Pour le fonctionnement correct du site, vous devez activer JavaScript dans votre navigateur.
Linux.MulDrop.40
Added to the Dr.Web virus database:
2019-01-12
Virus description added:
2019-01-12
Technical Information
Malicious functions:
Launches processes:
/bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
<SAMPLE_FULL_PATH>
/bin/bash <SAMPLE_FULL_PATH> -c
rm -rf shot attack
clear
useradd -N -m -r -p 1234567890 shot
nscd -i passwd
nscd -i group
mkdir /home/shot
apt-get update -y
/usr/bin/dpkg --print-foreign-architectures
/usr/lib/apt/methods/http
/usr/lib/apt/methods/gpgv
/usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.CGYRZW /tmp/apt.data.9blxbP
Kills the following processes:
/usr/lib/apt/methods/http
/usr/lib/apt/methods/gpgv
Performs operations with the file system:
Modifies file access rights:
/home/shot
/home/shot/.bashrc
/home/shot/.bash_logout
/home/shot/.profile
/etc/passwd+
/etc/shadow+
/etc/subuid+
/etc/subgid+
Creates folders:
Creates symlinks:
/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/etc/shadow.lock
Creates or modifies files:
/etc/.pwd.lock
/etc/passwd.709
/etc/group.709
/etc/gshadow.709
/etc/subuid.709
/etc/subgid.709
/etc/shadow.709
/var/log/faillog
/var/log/lastlog
/home/shot/.bashrc
/home/shot/.bash_logout
/home/shot/.profile
/etc/passwd-
/etc/passwd+
/etc/shadow-
/etc/shadow+
/etc/subuid-
/etc/subuid+
/etc/subgid-
/etc/subgid+
/var/lib/apt/lists/lock
/var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
/var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
/var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/tmp/apt.sig.CGYRZW
/tmp/apt.data.9blxbP
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
/tmp/fileutl.message.KvRb4w
/tmp/fileutl.message.KvRb4w (deleted)
Deletes files:
/usr/lib/shot
/usr/lib/attack
/etc/passwd.709
/etc/group.709
/etc/gshadow.709
/etc/subuid.709
/etc/subgid.709
/etc/shadow.709
/etc/shadow.lock
/etc/passwd.lock
/etc/group.lock
/etc/gshadow.lock
/etc/subuid.lock
/etc/subgid.lock
/var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
/tmp/apt.sig.CGYRZW
/tmp/apt.data.9blxbP
/tmp/fileutl.message.KvRb4w
Network activity:
Establishes connection:
<LOCAL_DNS_SERVER>
21#.##6.149.233:80
[2#########:1:216:35ff:fe7f:6ceb]:80
[2#######8:dc41:100::233]:80
[2#####e42:3a::204]:80
HTTP GET requests:
se######.#####n.org/dists/jessie/updates/InRelease
ft#.##.######.org/debian/dists/jessie/InRelease
ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
se##########.##bian.org/dists/jessie/updates/InRelease
ft#.##.######.org/debian/dists/jessie/Release.gpg
ft#.##.######.org/debian/dists/jessie/Release
DNS ASK:
ft#.##.debian.org
se####ty.debian.org
se#####y-cdn.debian.org
Recommandations pour le traitement
Linux
Version démo gratuite
Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)
Téléchargez Dr.Web pour Android
Gratuit pour 3 mois
Tous les composants de protection
Renouvellement de la démo via AppGallery/Google Pay
Nous utilisons des cookies sur notre site web à des fins uniques d’analyse de la fréquentation et de récolte de données statistiques. En naviguant sur notre site, vous pouvez accepter ou refuser l’utilisation de ces fichiers cookies.
En savoir plus : Politique de confidentialité
Accepter
Refuser