My library

+ Add to library



Added to the Dr.Web virus database: 2017-11-15

Virus description added:


  • e43fd0752b8c03ffae628a6b83e2a03944f11f4e

A backdoor for Linux operating systems. It was detected in the libz library. During its operation, the Trojan intercepts calling of the following system functions: __libc_start_main, sscanf, __syslog_chk, fopen, and fgets. It is initialized in __libc_start_main; the main code is located in the sscanf function. It operates only with binary files that ensure data transfers via the SSH protocol. It fails to operate if the launched file name is the same as /usr/sbin/sshds. For external connection, it doesn’t use a currently open socket. Instead it uses the first open socket out of 1,024. After this, the socket is moved to the zero descriptor, and the remaining 1,023 are shut down.

The connection protocol is encrypted using the RC4 algorithm; strings are also encrypted. The backdoor can execute the following commands:

execRun a binary fileFile name
tcpConnect to host:porthost, port
upDownload a fileFile name

News about the Trojan

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Doctor Web tworzy oprogramowanie antywirusowe od 1992 roku
Dr.Web cieszy się zaufaniem użytkowników na całym świecie, w ponad 200 krajach
Firma dostarcza program antywirusowy jako usługę od 2007 roku
Wsparcie techniczne 24/7

© Doctor Web
2003 — 2022

Doctor Web to rosyjski producent oprogramowania antywirusowego Dr.Web. Rozwijamy nasze produkty od 1992 roku.