ELF_SOTDAS.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• /tmp/.sshhdd{random number}

It drops the following file(s)/component(s):

• /etc/init.d/.SSHH2

Other Details

This Trojan connects to the following possibly malicious URL:

• by.{BLOCKED}2088:7668

NOTES:

It checks if it is already running in the affected system. It does this by checking the current running {malware file path and file name}. It terminates itself if found running in "/etc/.SSHH2".

If the the current running {malware file path and file name} is in "/tmp/.sshhdd", it will drop a copy of itself as "/tmp/.sshhdd{random number}".

If there is no running copy of itself, it proceeds into its installation routines:

• Drops copy of itself in "/etc/.SSHH2"
• Creates symbolic link "/etc/rc2.d/S77.SSHH2" that points to "/etc/init.d/.SSHH2"
• Creates symbolic link "/etc/rc3.d/S77.SSHH2" that points to "/etc/init.d/.SSHH2"
• Creates symbolic link "/etc/rc4.d/S77.SSHH2" that points to "/etc/init.d/.SSHH2"
• Creates symbolic link "/etc/rc5.d/S77.SSHH2" that points to "/etc/init.d/.SSHH2"
• Runs the dropped copy of itself

The dropped file "/etc/init.d/.SSHH2" contains a commandline that uses setsid to execute "/etc/.SSHH2" in background.

It then deletes itself after execution.

The following dropped files also mentioned above enables the malware to execute at every system startup:

• "/etc/rc2.d/S77.SSHH2"
• "/etc/rc3.d/S77.SSHH2"
• "/etc/rc4.d/S77.SSHH2"
• "/etc/rc5.d/S77.SSHH2"
• "/etc/init.d/.SSHH2"