Техническая информация
Вредоносные функции:
Самоудаляется
Запускает себя в качестве демона
Подменяет имя приложения на:
- qwensqdnchvj1b51udhr
Запускает процессы:
- sh -c rm -r /var/log
- rm -r /var/log
Выполняет операции с файловой системой:
Удаляет файлы:
- /kern.log
- /syslog
- /auth.log
- /btmp
- /mainlog
- /fontconfig.log
- /wtmp
- /faillog
- /messages
- /history.log
- /term.log
- /checkroot
- /checkfs
- /lastlog
- /dpkg.log
- /daemon.log
- /debug
- /partman
- /lsb-release
- /templates.dat
- /questions.dat
- /hardware-summary
- /status
- /dmesg
- /alternatives.log
Сетевая активность:
Ожидает входящих соединений на портах:
- 127.0.0.1:48099
- 0.0.0.0:23
Устанавливает соединение:
- 8.#.8.8:53
- <LOCAL_DNS_SERVER>
- 27.###.101.121:80
- 36.##.177.3:8080
- 36.##.177.3:81
- 36.##.177.3:8001
- 36.##.177.3:1080
- 36.##.177.3:88
- 36.##.177.3:82
- 36.##.177.3:10000
- 36.##.177.3:8081
- 36.##.177.3:8443
- 36.##.177.3:83
- 36.##.177.3:8880
- 36.##.177.3:84
- 36.##.177.3:3000
- 36.##.177.3:8090
- 36.##.177.3:8060
- 36.##.177.3:3749
HTTP GET-запросы:
- 36.##.177.3:80/
- 36.##.###.##80/system.ini?loginuse&loginpas
- 36.##.###.#############handle.php?cmd=writeuploaddir&uploaddir=%27;echo+nuuo+123456;%27
- 36.##.###.###0/board.cgi?cmd=cat%20/etc/passwd
- 36.##.###.##########.########_file=netgear.cfg&todo=syscmd&curpath=/¤tsetting.htm=1&cmd=echo+dgn+123456
- 36.##.###.##########in/user/Config.cgi?.cab&action=get&category=Account.*
- 36.##.###.#####shell?echo+jaws+123456;cat+/proc/cpuinfo
HTTP POST-запросы:
- 36.##.##7.3:80/command.php
- 36.##.##7.3:80/hedwig.cgi
- 36.##.##7.3:80/apply.cgi
DNS ASK:
- we####qweiur.com
- e.##852.com
Посылает данные следующим серверам:
- 21#.###.58.226:20480
- 21#.###.58.226:20736
- 21#.###.58.226:36895
- 21#.###.58.226:37151
- 21#.###.58.226:22528
- 21#.###.58.226:16671
- 21#.###.58.226:14340
- 21#.###.58.226:20992
- 21#.##5.58.226:4135
- 21#.###.58.226:64288
- 21#.###.58.226:45090
- 21#.###.58.226:21248
- 21#.###.58.226:21504
- 21#.###.58.226:31775
- 21#.###.58.226:39455
- 21#.###.58.226:47115
- 21#.###.58.226:42254
- 85.###.43.75:20480
- 85.###.43.75:20736
- 85.###.43.75:36895
- 85.###.43.75:37151
- 85.###.43.75:22528
- 85.###.43.75:16671
- 85.###.43.75:14340
- 85.###.43.75:20992
- 85.###.43.75:4135
- 85.###.43.75:64288
- 85.###.43.75:45090
- 85.###.43.75:21248
- 85.###.43.75:21504
- 85.###.43.75:31775
- 85.###.43.75:39455
- 85.###.43.75:47115
- 85.###.43.75:42254
- 21#.###.228.42:20480
- 21#.###.228.42:20736
- 21#.###.228.42:36895
- 21#.###.228.42:37151
- 21#.###.228.42:22528
- 21#.###.228.42:16671
- 21#.###.228.42:14340
- 21#.###.228.42:20992
- 21#.##5.228.42:4135
- 21#.###.228.42:64288
- 21#.###.228.42:45090
- 21#.###.228.42:21248
- 21#.###.228.42:21504
- 21#.###.228.42:31775
- 21#.###.228.42:39455
- 21#.###.228.42:47115
- 21#.###.228.42:42254
- 21#.##6.0.186:20480
- 21#.##6.0.186:20736
- 21#.##6.0.186:36895
- 21#.##6.0.186:37151
- 21#.##6.0.186:22528
- 21#.##6.0.186:16671
- 21#.##6.0.186:14340
- 21#.##6.0.186:20992
- 21#.##6.0.186:4135
- 21#.##6.0.186:64288
- 21#.##6.0.186:45090
- 21#.##6.0.186:21248
- 21#.##6.0.186:21504
- 21#.##6.0.186:31775
- 21#.##6.0.186:39455
- 21#.##6.0.186:47115
- 21#.##6.0.186:42254
- 10#.##.233.78:20480
- 10#.##.233.78:20736
- 10#.##.233.78:36895
- 10#.##.233.78:37151
- 10#.##.233.78:22528
- 10#.##.233.78:16671
- 10#.##.233.78:14340
- 10#.##.233.78:20992
- 10#.##.233.78:4135
- 10#.##.233.78:64288
- 10#.##.233.78:45090
- 10#.##.233.78:21248
- 10#.##.233.78:21504
- 10#.##.233.78:31775
- 10#.##.233.78:39455
- 10#.##.233.78:47115
- 10#.##.233.78:42254
- 10#.###.77.113:20480
- 10#.###.77.113:20736
- 10#.###.77.113:36895
- 10#.###.77.113:37151
- 10#.###.77.113:22528
- 10#.###.77.113:16671
- 10#.###.77.113:14340
- 10#.###.77.113:20992
- 10#.##5.77.113:4135
- 10#.###.77.113:64288
- 10#.###.77.113:45090
- 10#.###.77.113:21248
- 10#.###.77.113:21504
- 10#.###.77.113:31775
- 10#.###.77.113:39455
- 10#.###.77.113:47115
- 10#.###.77.113:42254
- 11#.##.254.40:20480
- 11#.##.254.40:20736
- 11#.##.254.40:36895
- 11#.##.254.40:37151
- 11#.##.254.40:22528
- 11#.##.254.40:16671
- 11#.##.254.40:14340
- 11#.##.254.40:20992
- 11#.##.254.40:4135
- 11#.##.254.40:64288
- 11#.##.254.40:45090
- 11#.##.254.40:21248
- 11#.##.254.40:21504
- 11#.##.254.40:31775
- 11#.##.254.40:39455
- 11#.##.254.40:47115
- 11#.##.254.40:42254
- 20#.###.171.137:20480
- 20#.###.171.137:20736
- 20#.###.171.137:36895
- 20#.###.171.137:37151
- 20#.###.171.137:22528
- 20#.###.171.137:16671
- 20#.###.171.137:14340
- 20#.###.171.137:20992
- 20#.###.171.137:4135
- 20#.###.171.137:64288
- 20#.###.171.137:45090
- 20#.###.171.137:21248
- 20#.###.171.137:21504
- 20#.###.171.137:31775
- 20#.###.171.137:39455
- 20#.###.171.137:47115
- 20#.###.171.137:42254
- 36.##.177.3:20480
- 36.##.177.3:20736
- 36.##.177.3:36895
- 36.##.177.3:37151
- 36.##.177.3:22528
- 36.##.177.3:16671
- 36.##.177.3:14340
- 36.##.177.3:20992
- 36.##.177.3:4135
- 36.##.177.3:64288
- 36.##.177.3:45090
- 36.##.177.3:21248
- 36.##.177.3:21504
- 36.##.177.3:31775
- 36.##.177.3:39455
- 36.##.177.3:47115
- 36.##.177.3:42254
