Home / malware Linux.Xnote
First posted on 12 February 2015.
Source: SymantecAliases :
There are no other names known for Linux.Xnote.
Explanation :
When the Trojan is executed, it creates a copy of itself at the following location: /bin/iptable6
Next, the Trojan creates the following file: /tmp/.wq4sMLArXw
The Trojan then modifies the following files to add the line "/bin/iptable6" so that it runs every time the device restarts: /etc/init.d /etc/init.d/lightdm/etc/init.d/acpid/etc/init.d/x11-common/etc/init.d/udev/etc/init.d/kmod
The Trojan then deletes itself and connects to the following remote locations: c.et2046.comb.et2046.coma.et2046.com
The Trojan may then perform the following actions: Open a back doorConduct DDoS attacksGather details of the name of the device, CPU, and memory informationDownload filesCreate and delete filesLast update 12 February 2015
