My library

+ Add to library



Added to the Dr.Web virus database: 2016-09-30

Virus description added:

SHA1: 2b82c715c2f1480b57e59bd7c55ef32db312e008

A Trojan for Linux, also known as “TheMoon”, that is designed to download various files to the infected device. All examined samples had the “.nttpd” file name. In order to store its PID, the Trojan uses the “.nttpd” file with the following contents:


In the head module, module_id equals to 17.

If it is successfully launched, the Trojan deletes its original file and updates the iptables utility with the following rules:

"INPUT -p tcp --dport 8080 -j DROP"
"INPUT -p tcp --dport 443 -j DROP"
"INPUT -p tcp --dport 80 -j DROP"
"INPUT -p tcp --dport 23 -j DROP"
"INPUT -p tcp --dport 22 -j DROP"

Thus, other Trojans will not be able to compromise a device.

After that, the following three functions that perform main malicious activity are launched by the malware program:



This function launches two child threads. The first thread calculates time of the Trojan’s continuous work in infinite loop. The second one connects to the command and control server every hour by going through all IPs of C&C servers hard coded in the Trojan’s body until it finds an active one. To send information to the server, the malware program uses a 48-byte buffer where all bytes are equal to zero, and the first byte is 0x23. Then the Trojan waits for a buffer of the same size as a response from the server. After the buffer is received, the malware program retrieves the penultimate DWORD value with 0x7C558180 added to it. The obtained number is the value of the current time.


A function that adds a new C&C server of the Trojan, in addition to those that are already hard coded in its body, and receives data necessary for modules updating.

The Trojan opens the 5142 port using iptables:

INPUT -p udp --dport %u -j ACCEPT

After that, it launches a thread for listening to this port and waits for a 263-byte package with the following structure:

0x00Package size
0x01The function number (0 or 1)
0x02Determines whether a registration confirmation should be sent
0x04+Package data

First, the Trojan registers the server by receiving a package that looks as follows:

0x02Determines whether a registration confirmation should be sent
0x04DWORD with the 0x6D6163F3 value

The Trojan saves the dwIp % 0x64 value and the value of the IP address from which the package was sent. If the third byte is identified, the malicious program sends the same buffer. Besides, it can forward the following control packages to the server:

0x02Is ignored
0x04DWORD with the 0x6D6163F3 value
0x08Is ignored
0x0CAn IP address which the package is sent to

If the DWORD value at offset of 0x0C is not zero, the Trojan sends a registration request package to a specified IP. Otherwise, it sends the package to the server from which a command has been received.

The package looks as follows:

0x00<= 0x14
0x02Is ignored

The following structure is stored at offset of 0x04:

struct st_module
  _DWORD dwip;
  _DWORD module_id;
  _DWORD size;
  char filename[8];

The Trojan checks whether an IP from this structure is among the hard coded or registered server addresses. After that, it copies the structure to its memory, and the structure is then forwarded to the dwl thread.


It waits until the st_module structure is padded by the net thread. Then it generates the pid file name:

StModule->filename + ".pid"

and, depending on the presence of this file, checks whether the corresponding module is launched. At that, either the name of the module or its identifier is compared. If the module is launched, the process is then “killed”.

After that, the Trojan establishes TCP connection to StModule->dwip and sends the following line:


The server, in turn, sends the module. The Trojan saves it in the StModule->filename file. Then the malicious program sets the 448 privileges and executes the module.

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Doctor Web tworzy oprogramowanie antywirusowe od 1992 roku
Dr.Web cieszy się zaufaniem użytkowników na całym świecie, w ponad 200 krajach
Firma dostarcza program antywirusowy jako usługę od 2007 roku
Wsparcie techniczne 24/7

© Doctor Web
2003 — 2022

Doctor Web to rosyjski producent oprogramowania antywirusowego Dr.Web. Rozwijamy nasze produkty od 1992 roku.