Technical Information
Malicious functions:
Gets access to SSH keys
- /root/.ssh/.apps/hald
- /root/.ssh/.apps/7f.so
- /root/.ssh/.apps/7fC.dat
- /root/.ssh/.apps/80.so
- /root/.ssh/.apps/80C.dat
- /root/.ssh/.apps/17.so
- /root/.ssh/.apps/17C.dat
- /root/.ssh/.apps/16.so
- /root/.ssh/.apps/16C.dat
- /root/.ssh/.apps/19.so
- /root/.ssh/.apps/19C.dat
- /root/.ssh/.apps/27.so
- /root/.ssh/.apps/27C.dat
- /root/.ssh/.apps/12.so
- /root/.ssh/.apps/12C.dat
- /root/.ssh/.apps/05.so
- /root/.ssh/.apps/05C.dat
- /root/.ssh/.apps/24.so
- /root/.ssh/.apps/24C.dat
- /root/.ssh/.apps/14.so
- /root/.ssh/.apps/14C.dat
- /root/.ssh/.apps/23.so
- /root/.ssh/.apps/23C.dat
- /root/.ssh/.apps/28.so
- /root/.ssh/.apps/28C.dat
- /root/.ssh/.apps/04.so
- /root/.ssh/.apps/04C.dat
- /root/.ssh/.apps/02.so
- /root/.ssh/.apps/02C.dat
- /root/.ssh/.apps/00C.dat
- /root/.ssh/.apps/01C.dat
- /root/.ssh/.apps/03C.dat
- /root/.ssh/.apps/06C.dat
- /root/.ssh/.apps/07C.dat
- /root/.ssh/.apps/08C.dat
- /root/.ssh/.apps/09C.dat
- /root/.ssh/.apps/0aC.dat
- /root/.ssh/.apps/0bC.dat
- /root/.ssh/.apps/0cC.dat
- /root/.ssh/.apps/0dC.dat
- /root/.ssh/.apps/0eC.dat
- /root/.ssh/.apps/0fC.dat
- /root/.ssh/.apps/10C.dat
- /root/.ssh/.apps/11C.dat
- /root/.ssh/.apps/13C.dat
- /root/.ssh/.apps/15C.dat
- /root/.ssh/.apps/18C.dat
- /root/.ssh/.apps/1aC.dat
- /root/.ssh/.apps/1bC.dat
- /root/.ssh/.apps/1cC.dat
- /root/.ssh/.apps/1dC.dat
- /root/.ssh/.apps/1eC.dat
- /root/.ssh/.apps/1fC.dat
- /root/.ssh/.apps/20C.dat
- /root/.ssh/.apps/21C.dat
- /root/.ssh/.apps/22C.dat
- /root/.ssh/.apps/25C.dat
- /root/.ssh/.apps/26C.dat
- /root/.ssh/.apps/29C.dat
- /root/.ssh/.apps/2aC.dat
- /root/.ssh/.apps/2bC.dat
- /root/.ssh/.apps/2cC.dat
- /root/.ssh/.apps/2dC.dat
- /root/.ssh/.apps/2eC.dat
- /root/.ssh/.apps/2fC.dat
- /root/.ssh/.apps/30C.dat
- /root/.ssh/.apps/31C.dat
- /root/.ssh/.apps/32C.dat
- /root/.ssh/.apps/33C.dat
- /root/.ssh/.apps/34C.dat
- /root/.ssh/.apps/35C.dat
- /root/.ssh/.apps/36C.dat
- /root/.ssh/.apps/37C.dat
- /root/.ssh/.apps/38C.dat
- /root/.ssh/.apps/39C.dat
- /root/.ssh/.apps/3aC.dat
- /root/.ssh/.apps/3bC.dat
- /root/.ssh/.apps/3cC.dat
- /root/.ssh/.apps/3dC.dat
- /root/.ssh/.apps/3eC.dat
- /root/.ssh/.apps/3fC.dat
- /root/.ssh/.apps/40C.dat
- /root/.ssh/.apps/41C.dat
- /root/.ssh/.apps/42C.dat
- /root/.ssh/.apps/43C.dat
- /root/.ssh/.apps/44C.dat
- /root/.ssh/.apps/45C.dat
- /root/.ssh/.apps/46C.dat
- /root/.ssh/.apps/47C.dat
- /root/.ssh/.apps/48C.dat
- /root/.ssh/.apps/49C.dat
- /root/.ssh/.apps/4aC.dat
- /root/.ssh/.apps/4bC.dat
- /root/.ssh/.apps/4cC.dat
- /root/.ssh/.apps/4dC.dat
- /root/.ssh/.apps/4eC.dat
- /root/.ssh/.apps/4fC.dat
- /root/.ssh/.apps/50C.dat
- /root/.ssh/.apps/51C.dat
- /root/.ssh/.apps/52C.dat
- /root/.ssh/.apps/53C.dat
- /root/.ssh/.apps/54C.dat
- /root/.ssh/.apps/55C.dat
- /root/.ssh/.apps/56C.dat
- /root/.ssh/.apps/57C.dat
- /root/.ssh/.apps/58C.dat
- /root/.ssh/.apps/59C.dat
- /root/.ssh/.apps/5aC.dat
- /root/.ssh/.apps/5bC.dat
- /root/.ssh/.apps/5cC.dat
- /root/.ssh/.apps/5dC.dat
- /root/.ssh/.apps/5eC.dat
- /root/.ssh/.apps/5fC.dat
- /root/.ssh/.apps/60C.dat
- /root/.ssh/.apps/61C.dat
- /root/.ssh/.apps/62C.dat
- /root/.ssh/.apps/63C.dat
- /root/.ssh/.apps/64C.dat
- /root/.ssh/.apps/65C.dat
- /root/.ssh/.apps/66C.dat
- /root/.ssh/.apps/67C.dat
- /root/.ssh/.apps/68C.dat
- /root/.ssh/.apps/69C.dat
- /root/.ssh/.apps/6aC.dat
- /root/.ssh/.apps/6bC.dat
- /root/.ssh/.apps/6cC.dat
- /root/.ssh/.apps/6dC.dat
- /root/.ssh/.apps/6eC.dat
- /root/.ssh/.apps/6fC.dat
- /root/.ssh/.apps/70C.dat
- /root/.ssh/.apps/71C.dat
- /root/.ssh/.apps/72C.dat
- /root/.ssh/.apps/73C.dat
- /root/.ssh/.apps/74C.dat
- /root/.ssh/.apps/75C.dat
- /root/.ssh/.apps/76C.dat
- /root/.ssh/.apps/77C.dat
- /root/.ssh/.apps/78C.dat
- /root/.ssh/.apps/79C.dat
- /root/.ssh/.apps/7aC.dat
- /root/.ssh/.apps/7bC.dat
- /root/.ssh/.apps/7cC.dat
- /root/.ssh/.apps/7dC.dat
- /root/.ssh/.apps/7eC.dat
- /root/.ssh/.apps/00.so
- /root/.ssh/.apps/01.so
- /root/.ssh/.apps/03.so
- /root/.ssh/.apps/06.so
- /root/.ssh/.apps/07.so
- /root/.ssh/.apps/08.so
- /root/.ssh/.apps/09.so
- /root/.ssh/.apps/0a.so
- /root/.ssh/.apps/0b.so
- /root/.ssh/.apps/0c.so
- /root/.ssh/.apps/0d.so
- /root/.ssh/.apps/0e.so
- /root/.ssh/.apps/0f.so
- /root/.ssh/.apps/10.so
- /root/.ssh/.apps/11.so
- /root/.ssh/.apps/13.so
- /root/.ssh/.apps/15.so
- /root/.ssh/.apps
- /root/.ssh/.apps/18.so
- /root/.ssh/.apps/1a.so
- /root/.ssh/.apps/1b.so
- /root/.ssh/.apps/1c.so
- /root/.ssh/.apps/1d.so
- /root/.ssh/.apps/1e.so
- /root/.ssh/.apps/1f.so
- /root/.ssh/.apps/20.so
- /root/.ssh/.apps/21.so
- /root/.ssh/.apps/22.so
- /root/.ssh/.apps/wbcm.so
- /root/.ssh/.apps/gtkx.so
- /root/.ssh/.apps/25.so
- /root/.ssh/.apps/26.so
- /root/.ssh/.apps/emailviewerplug@emailviewer.org.xpi
- /root/.ssh/.apps/29.so
- /root/.ssh/.apps/2a.so
- /root/.ssh/.apps/2b.so
- /root/.ssh/.apps/2c.so
- /root/.ssh/.apps/2d.so
- /root/.ssh/.apps/2e.so
- /root/.ssh/.apps/2f.so
- /root/.ssh/.apps/30.so
- /root/.ssh/.apps/31.so
- /root/.ssh/.apps/32.so
- /root/.ssh/.apps/33.so
- /root/.ssh/.apps/34.so
- /root/.ssh/.apps/35.so
- /root/.ssh/.apps/36.so
- /root/.ssh/.apps/37.so
- /root/.ssh/.apps/38.so
- /root/.ssh/.apps/39.so
- /root/.ssh/.apps/3a.so
- /root/.ssh/.apps/3b.so
- /root/.ssh/.apps/3c.so
- /root/.ssh/.apps/3d.so
- /root/.ssh/.apps/3e.so
- /root/.ssh/.apps/3f.so
- /root/.ssh/.apps/40.so
- /root/.ssh/.apps/41.so
- /root/.ssh/.apps/42.so
- /root/.ssh/.apps/43.so
- /root/.ssh/.apps/44.so
- /root/.ssh/.apps/45.so
- /root/.ssh/.apps/46.so
- /root/.ssh/.apps/47.so
- /root/.ssh/.apps/48.so
- /root/.ssh/.apps/49.so
- /root/.ssh/.apps/4a.so
- /root/.ssh/.apps/4b.so
- /root/.ssh/.apps/4c.so
- /root/.ssh/.apps/4d.so
- /root/.ssh/.apps/4e.so
- /root/.ssh/.apps/4f.so
- /root/.ssh/.apps/50.so
- /root/.ssh/.apps/51.so
- /root/.ssh/.apps/52.so
- /root/.ssh/.apps/53.so
- /root/.ssh/.apps/54.so
- /root/.ssh/.apps/55.so
- /root/.ssh/.apps/56.so
- /root/.ssh/.apps/57.so
- /root/.ssh/.apps/58.so
- /root/.ssh/.apps/59.so
- /root/.ssh/.apps/5a.so
- /root/.ssh/.apps/5b.so
- /root/.ssh/.apps/5c.so
- /root/.ssh/.apps/5d.so
- /root/.ssh/.apps/5e.so
- /root/.ssh/.apps/5f.so
- /root/.ssh/.apps/60.so
- /root/.ssh/.apps/61.so
- /root/.ssh/.apps/62.so
- /root/.ssh/.apps/63.so
- /root/.ssh/.apps/64.so
- /root/.ssh/.apps/65.so
- /root/.ssh/.apps/67.so
- /root/.ssh/.apps/68.so
- /root/.ssh/.apps/69.so
- /root/.ssh/.apps/6a.so
- /root/.ssh/.apps/6b.so
- /root/.ssh/.apps/6c.so
- /root/.ssh/.apps/6d.so
- /root/.ssh/.apps/6e.so
- /root/.ssh/.apps/6f.so
- /root/.ssh/.apps/70.so
- /root/.ssh/.apps/71.so
- /root/.ssh/.apps/72.so
- /root/.ssh/.apps/73.so
- /root/.ssh/.apps/74.so
- /root/.ssh/.apps/75.so
- /root/.ssh/.apps/76.so
- /root/.ssh/.apps/77.so
- /root/.ssh/.apps/78.so
- /root/.ssh/.apps/79.so
- /root/.ssh/.apps/7a.so
- /root/.ssh/.apps/7b.so
- /root/.ssh/.apps/7c.so
- /root/.ssh/.apps/7d.so
- /root/.ssh/.apps/7e.so
Launches processes:
- hald 80.so RunDll
- sh -c ls /dev/disk/by-id/ 2>/dev/null
- ls /dev/disk/by-id/
- sh -c cat /sys/class/net/eth?/address 2>/dev/null
- cat /sys/class/net/eth0/address
- sh -c cat /sys/class/net/wlan?/address 2>/dev/null
- cat /sys/class/net/wlan?/address
- sh -c cat /var/lib/dbus/machine-id 2>/dev/null
- cat /var/lib/dbus/machine-id
Performs operations with the file system:
Creates folders:
- /root/.ssh
- /root/.ssh/.apps
Creates or modifies files:
- /root/.profile1
- /root/.profile
- /root/.bash_profile
- /tmp/.X11.lock
- /tmp/wlanUPdeL9
Deletes files:
- /tmp/wlanUPdeL9
Network activity:
Establishes connection:
- 10.#.0.250:1111
- 10.#.0.250:1112
- 10.#.0.250:1113
Other:
Collects CPU information
