Upon execution, this virus first creates a child process. The orginal parent process executes the host program while the child proceeds to infect files and listen to ports.
This malware searches for a maximum of 30 target executable ELF files each in the current and /bin directories. It only infects files that are executable.
It infects ELF files by searching for the first PT_LOAD segment, which are the loadable segments in an ELF file and may contain executable codes and data. It extends the size of this segment by 4096 bytes and inserts its viral code in this new space. It then modifies the file�s entry point and sets it to the address of the viral code. It adjusts sections, headers, and other segments so that the host file is not corrupted.
This virus does not reinfect files. It knows if a file is already infected by checking if its entry point is located 4096 bytes from the end of the first PT_LOAD segment.
Files infected with this virus contain the following text strings:
This virus also acts as a backdoor program. After infecting other programs, the child process connects to 207.<blocked>.155.21 via port 80. This IP address points to xo<blocked>sis.com, which does not appear to contain malicious code.
It sends a GET request to the server, to download a file gov.php. This file is not present on the server � the virus more probably uses the command to get the infected user�s IP address.
Then, it sets the network devices, �eth0� and �ppp0�, to promiscuous mode, which allows the devices to intercept and read each network packet that arrives. This allows a local attacker to run a sniffer tool, which can retrieve information such as passwords from the target system.
If it receives a packet containing the string �DOM� at a particular offset and with the command byte of 1, then an attacker can execute arbitrary commands on the target system, which may include file manipulation commands. At this point, the attacker is able to remotely control the target system.
Otherwise, if the command byte is 2, it sends back the string �DOM� using port 4369.