Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- GNU
Modifies firewall settings:
- /sbin/iptables -A INPUT -p tcp --destination-port 23 -j DROP
Launches processes:
- sh -c /sbin/iptables -A INPUT -p tcp --destination-port 23 -j DROP
- sh -c mount -o bind /tmp /proc/547 > /dev/null
- sh -c mount -o bind /tmp /proc/548 > /dev/null
- sh -c mount -o bind /tmp /proc/551 > /dev/null
- mount -o bind /tmp /proc/551
- mount -o bind /tmp /proc/547
- mount -o bind /tmp /proc/548
- sh -c mount -o bind /tmp /proc/549 > /dev/null
- mount -o bind /tmp /proc/549
Performs operations with the file system:
Mounts file systems:
- /tmp
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:13219
Establishes connection:
- 8.#.8.8:53
- 14#.#1.13.37:81
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
- 12#.##.61.249:23
- 17#.##9.27.95:23
- 79.###.108.123:23
- 50.##.193.70:23
- 24#.##6.82.228:23
- 93.##0.89.67:23
- 25#.##1.243.22:23
- 48.###.195.33:23
- 24#.##2.209.111:23
- 14#.#1.13.37:81
