Техническая информация
Для обеспечения автоматического запуска и распространения:
Создает или модифицирует следующие файлы:
- /var/spool/cron/crontabs/root
Вредоносные функции:
Самоудаляется
Запускает процессы:
- sh -c ps aux | grep -v grep | grep -v '/sbin/opendkim' | grep 'opendkim' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- ps aux
- grep -v grep
- grep -v /sbin/opendkim
- grep opendkim
- awk {print $2}
- xargs kill -9
- kill -9
- sh -c ps aux | grep -v grep | grep -v '/opt/zimbra/libexec/zmmailboxdmgr' | grep 'zmmailboxdmgr' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep -v /opt/zimbra/libexec/zmmailboxdmgr
- grep zmmailboxdmgr
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/bin/zmgsaupdate' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/bin/zmgsaupdate
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/bin/zmqueuelog' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/bin/zmqueuelog
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmmysqlstatus' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmmysqlstatus
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmgsaupdate' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmgsaupdate
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmcertmgr' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmcertmgr
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmconfigdctl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmconfigdctl
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmmysqlstatus' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmmysqlstatus
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmgsaupdate' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmgsaupdate
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmcertmgr' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmcertmgr
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmconfigdctl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmconfigdctl
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmdhparam' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmdhparam
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/zmdnscachectl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/zmdnscachectl
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/zmdumpenv' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/zmdumpenv
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/zmfixcalendtime' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/zmfixcalendtime
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/zmfixcalprio' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/zmfixcalprio
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmcertmgr' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /var/tmp/zmcertmgr
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmconfigdctl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /var/tmp/zmconfigdctl
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmdhparam' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /var/tmp/zmdhparam
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/bin/zmcheckversion' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/bin/zmcheckversion
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/bin/zmcheckversion\"
- yes
- cp <SAMPLE_FULL_PATH> /opt/zimbra/bin/zmcheckversion
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/bin/zmclientcertmgr' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/bin/zmclientcertmgr
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/bin/zmclientcertmgr\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/bin/zmclientcertmgr
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmtrainsa' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmtrainsa
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/libexec/zmtrainsa\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/libexec/zmtrainsa
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmjavaext' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmjavaext
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/libexec/zmjavaext\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/libexec/zmjavaext
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmldappasswd' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmldappasswd
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/libexec/zmldappasswd\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/libexec/zmldappasswd
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/libexec/zmloggerctl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/libexec/zmloggerctl
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/libexec/zmloggerctl\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/libexec/zmloggerctl
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/common/bin/watchdog' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/common/bin/watchdog
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/common/bin/watchdog\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/common/bin/watchdog
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmcheckversion' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmcheckversion
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/lib/zmcheckversion\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/lib/zmcheckversion
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmclientcertmgr' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmclientcertmgr
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/lib/zmclientcertmgr\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/lib/zmclientcertmgr
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmjavaext' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmjavaext
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/lib/zmjavaext\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/lib/zmjavaext
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmldappasswd' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmldappasswd
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/lib/zmldappasswd\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/lib/zmldappasswd
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/lib/zmloggerctl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/lib/zmloggerctl
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/lib/zmloggerctl\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/lib/zmloggerctl
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/zmstat/zmstat' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/zmstat/zmstat
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/zmstat/zmstat\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/zmstat/zmstat
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/zmjavaext' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/zmjavaext
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/log/zmjavaext\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/log/zmjavaext
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/zmldappasswd' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/zmldappasswd
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/log/zmldappasswd\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/log/zmldappasswd
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/zmloggerctl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/zmloggerctl
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/log/zmloggerctl\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/log/zmloggerctl
- sh -c ps aux | grep -v grep | grep '/opt/zimbra/log/lwatchdog' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /opt/zimbra/log/lwatchdog
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/opt/zimbra/log/lwatchdog\"
- cp <SAMPLE_FULL_PATH> /opt/zimbra/log/lwatchdog
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmldappasswd' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /var/tmp/zmldappasswd
- sh -c yes|cp \"<SAMPLE_FULL_PATH>\" \"/var/tmp/zmldappasswd\"
- cp <SAMPLE_FULL_PATH> /var/tmp/zmldappasswd
- sh -c touch -r /opt/zimbra/bin/zmcertmgr /var/tmp/zmldappasswd > /dev/null 2>&1
- touch -r /opt/zimbra/bin/zmcertmgr /var/tmp/zmldappasswd
- sh -c nohup /var/tmp/zmldappasswd > /dev/null 2>&1 &
- nohup /var/tmp/zmldappasswd
- /var/tmp/zmldappasswd
- sh -c crontab -l
- crontab -l
- sh -c crontab /tmp/c_zmldappasswd_bak
- crontab /tmp/c_zmldappasswd_bak
- sh -c (crontab -l|grep -v '/opt/zimbra/bin/zmgsaupdate')|crontab -
- crontab -
- grep -v /opt/zimbra/bin/zmgsaupdate
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmldappasswd' | grep -v '/var/tmp/zmldappasswd.'
- grep -v /var/tmp/zmldappasswd.
- sh -c (crontab -l|grep -v '/opt/zimbra/bin/zmqueuelog')|crontab -
- grep -v /opt/zimbra/bin/zmqueuelog
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmloggerctl' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /var/tmp/zmloggerctl
- sh -c (crontab -l|grep -v '/opt/zimbra/libexec/zmmysqlstatus')|crontab -
- grep -v /opt/zimbra/libexec/zmmysqlstatus
- sh -c ps aux | grep -v grep | grep '/var/tmp/lwatchdog' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
- grep /var/tmp/lwatchdog
- sh -c (crontab -l|grep -v '/opt/zimbra/libexec/zmgsaupdate')|crontab -
- grep -v /opt/zimbra/libexec/zmgsaupdate
- sh -c (crontab -l|grep -v '/opt/zimbra/lib/zmdhparam')|crontab -
- grep -v /opt/zimbra/lib/zmdhparam
- sh -c (crontab -l|grep -v '/opt/zimbra/log/zmdnscachectl')|crontab -
- grep -v /opt/zimbra/log/zmdnscachectl
- sh -c (crontab -l|grep -v '/opt/zimbra/log/zmdumpenv')|crontab -
- grep -v /opt/zimbra/log/zmdumpenv
- sh -c (crontab -l|grep -v '/opt/zimbra/log/zmfixcalendtime')|crontab -
- grep -v /opt/zimbra/log/zmfixcalendtime
- sh -c (crontab -l|grep -v '/opt/zimbra/log/zmfixcalprio')|crontab -
- grep -v /opt/zimbra/log/zmfixcalprio
- sh -c nohup /var/tmp/zmcertmgr > /dev/null 2>&1 &
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmcertmgr' | grep -v '/var/tmp/zmcertmgr.'
- nohup /var/tmp/zmcertmgr
- /var/tmp/zmcertmgr
- grep -v /var/tmp/zmcertmgr.
- sh -c (crontab -l|grep -v '/var/tmp/zmcertmgr')|crontab -
- grep -v /var/tmp/zmcertmgr
- sh -c nohup /var/tmp/zmconfigdctl > /dev/null 2>&1 &
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmconfigdctl' | grep -v '/var/tmp/zmconfigdctl.'
- nohup /var/tmp/zmconfigdctl
- /var/tmp/zmconfigdctl
- grep -v /var/tmp/zmconfigdctl.
- sh -c (crontab -l|grep -v '/var/tmp/zmconfigdctl')|crontab -
- grep -v /var/tmp/zmconfigdctl
- sh -c nohup /var/tmp/zmdhparam > /dev/null 2>&1 &
- sh -c ps aux | grep -v grep | grep '/var/tmp/zmdhparam' | grep -v '/var/tmp/zmdhparam.'
- nohup /var/tmp/zmdhparam
- /var/tmp/zmdhparam
- grep -v /var/tmp/zmdhparam.
- sh -c (crontab -l|grep -v '/var/tmp/zmdhparam')|crontab -
- grep -v /var/tmp/zmdhparam
Выполняет операции с файловой системой:
Модифицирует права доступа к файлам:
- /var/spool/cron/crontabs/tmp.zwLqVh
- /var/spool/cron/crontabs/tmp.WXRmsV
- /var/spool/cron/crontabs/tmp.Ez9KLG
- /var/spool/cron/crontabs/tmp.MAIaC4
- /var/spool/cron/crontabs/tmp.kisJQg
- /var/spool/cron/crontabs/tmp.dTN2Rs
- /var/spool/cron/crontabs/tmp.oTFn2V
- /var/spool/cron/crontabs/tmp.YPFg47
- /var/spool/cron/crontabs/tmp.P1EHzq
- /var/spool/cron/crontabs/tmp.weZGAF
- /var/tmp/zmcertmgr
- /var/spool/cron/crontabs/tmp.aWR9LU
- /var/tmp/zmconfigdctl
- /var/spool/cron/crontabs/tmp.7eX3k4
- /var/tmp/zmdhparam
Создает или модифицирует файлы:
- /opt/zimbra/bin/zmcheckversion
- /opt/zimbra/bin/zmclientcertmgr
- /opt/zimbra/libexec/zmtrainsa
- /opt/zimbra/libexec/zmjavaext
- /opt/zimbra/libexec/zmldappasswd
- /opt/zimbra/libexec/zmloggerctl
- /opt/zimbra/common/bin/watchdog
- /opt/zimbra/lib/zmcheckversion
- /opt/zimbra/lib/zmclientcertmgr
- /opt/zimbra/lib/zmjavaext
- /opt/zimbra/lib/zmldappasswd
- /opt/zimbra/lib/zmloggerctl
- /opt/zimbra/zmstat/zmstat
- /opt/zimbra/log/zmjavaext
- /opt/zimbra/log/zmldappasswd
- /opt/zimbra/log/zmloggerctl
- /opt/zimbra/log/lwatchdog
- /var/tmp/zmldappasswd
- /tmp/c_zmldappasswd_bak
- /var/spool/cron/crontabs/tmp.zwLqVh
- /tmp/zmldappasswd.pid
- /opt/zimbra/bin/zmgsaupdate
- /var/spool/cron/crontabs/tmp.WXRmsV
- /opt/zimbra/bin/zmqueuelog
- /var/spool/cron/crontabs/tmp.Ez9KLG
- /opt/zimbra/libexec/zmmysqlstatus
- /var/spool/cron/crontabs/tmp.MAIaC4
- /opt/zimbra/libexec/zmgsaupdate
- /var/spool/cron/crontabs/tmp.kisJQg
- /opt/zimbra/lib/zmdhparam
- /var/spool/cron/crontabs/tmp.dTN2Rs
- /opt/zimbra/log/zmdnscachectl
- /var/spool/cron/crontabs/tmp.oTFn2V
- /opt/zimbra/log/zmdumpenv
- /var/spool/cron/crontabs/tmp.YPFg47
- /opt/zimbra/log/zmfixcalendtime
- /var/spool/cron/crontabs/tmp.P1EHzq
- /opt/zimbra/log/zmfixcalprio
- /var/spool/cron/crontabs/tmp.weZGAF
- /var/tmp/zmcertmgr
- /opt/zimbra/log/zmcertmgr.pid
- /var/spool/cron/crontabs/tmp.aWR9LU
- /var/tmp/zmconfigdctl
- /opt/zimbra/log/zmconfigdctl.pid
- /var/spool/cron/crontabs/tmp.7eX3k4
- /var/tmp/zmdhparam
Удаляет файлы:
- /tmp/cbstat.log
- /opt/zimbra/bin/zmgsaupdate
- /opt/zimbra/bin/zmqueuelog
- /opt/zimbra/libexec/zmmysqlstatus
- /opt/zimbra/libexec/zmgsaupdate
- /opt/zimbra/libexec/zmcertmgr
- /opt/zimbra/libexec/zmconfigdctl
- /opt/zimbra/lib/zmmysqlstatus
- /opt/zimbra/lib/zmgsaupdate
- /opt/zimbra/lib/zmcertmgr
- /opt/zimbra/lib/zmconfigdctl
- /opt/zimbra/lib/zmdhparam
- /opt/zimbra/log/zmdnscachectl
- /opt/zimbra/log/zmdumpenv
- /opt/zimbra/log/zmfixcalendtime
- /opt/zimbra/log/zmfixcalprio
- /var/tmp/zmcertmgr
- /var/tmp/zmconfigdctl
- /var/tmp/zmdhparam
- /opt/zimbra/bin/zmcheckversion
- /opt/zimbra/bin/zmclientcertmgr
- /opt/zimbra/libexec/zmtrainsa
- /opt/zimbra/libexec/zmjavaext
- /opt/zimbra/libexec/zmldappasswd
- /opt/zimbra/libexec/zmloggerctl
- /opt/zimbra/common/bin/watchdog
- /opt/zimbra/lib/zmcheckversion
- /opt/zimbra/lib/zmclientcertmgr
- /opt/zimbra/lib/zmjavaext
- /opt/zimbra/lib/zmldappasswd
- /opt/zimbra/lib/zmloggerctl
- /opt/zimbra/zmstat/zmstat
- /opt/zimbra/log/zmjavaext
- /opt/zimbra/log/zmldappasswd
- /opt/zimbra/log/zmloggerctl
- /opt/zimbra/log/lwatchdog
- /var/tmp/zmldappasswd
- /tmp/c_zmldappasswd_bak
- /var/tmp/zmloggerctl
- /var/tmp/lwatchdog
Прочее:
Собирает информацию о CPU
Собирает информацию об оперативной памяти
Собирает информацию о сетевой активности
