PHP_ROOPRE.A
Linux/Roopre.A.Gen (ESET)
Linux, Unix
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan executes when a user accesses certain websites where it is hosted.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
TECHNICAL DETAILS
Arrival Details
This Trojan executes when a user accesses certain websites where it is hosted.
Installation
This Trojan drops the following files:
- {malware path}\libworker.so - detected as ELF_ROOPRE.A
- {malware path}\1.sh - executes libworker.so
Dropping Routine
This Trojan executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
NOTES:
It terminates itself if the Mayhem tool is installed in the system.
SOLUTION
Step 1
Remove malware/grayware files dropped/downloaded by PHP_ROOPRE.A. (Note: Please skip this step if the threats listed below have already been removed.)
- ELF_ROOPRE.A
Step 2
Scan your computer with your Trend Micro product to delete files detected as PHP_ROOPRE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.