Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/profile.d/bash_config
- /etc/rc.local
- /etc/profile.d/linux.sh
- /etc/profile.d/bash_config.sh
- /etc/init.d/cron
- /etc/init.d/linux_kill
- /etc/init.d/ssh
- /etc/init.d/udev
- /etc/crontab
Malicious functions:
Replaces the following system files:
- /usr/bin/lsof
Launches processes:
- /bin/bash -c chmod 0755 /etc/32679
- chmod 0755 /etc/32679
- /etc/32679
- <SAMPLE_FULL_PATH>
- sleep 30
- /bin/bash -c echo \"#!/bin/sh\" > /etc/profile.d/linux.sh
- /bin/bash -c
- /bin/bash -c echo -e \"#!/bin/sh\n BEGIN INIT INFO\n#chkconfig: 2345 10 90\n#description:System.img.config\n# Default-Start: 2 3 4 5\n# Default-Stop: \n END INIT INFO\n/boot/System.img.config\nexit 0\" > /etc/init.d/linux_kill;chmod +x /etc/init.d/linux_kill
- chmod +x /etc/init.d/linux_kill
- /bin/bash -c echo -e \"#!/bin/sh\n/usr/lib/libdlrpcld.so\" > /.img
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill
- /bin/bash -c echo \"* * * * * root /.img \" >> /etc/crontab
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill
- /bin/bash -c chmod 0755 /.img
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc0.d/linux_kill
- chmod 0755 /.img
Performs operations with the file system:
Modifies file access rights:
- /etc/32679
- /etc/init.d/linux_kill
- /.img
Creates folders:
- /usr/bin/lib
Creates or modifies files:
- /etc/id.services.conf
- /etc/32679
- /dev/.img
- /boot/System.img.config
- /usr/lib/libdlrpcld.so
- /lib/system-monitor
- /usr/bin/find
- /usr/sbin/ifconfig.conf
- /usr/bin/lsof
- /.img
Locks files:
- /dev/.img
Network activity:
Establishes connection:
- 8.#.8.8:53
- 15#.###.211.160:65530
DNS ASK:
- bb#.##umproot.com
Other:
Collects RAM information
