Linux/Moose [Threat Name]
The worm serves as a backdoor. It can be controlled remotely.
The worm is usually found in the following folder:
The following filename is used:
The worm tries to copy itself to the available remote computers.
The worm generates various IP addresses.
It tries to connect to the remote machine on port:
- 23 (TCP, Telnet)
The worm attempts to bruteforce login credentials.
Username and password combination list it received from C&C malware server.
If successful, the remote computer may attempt to download the copy of the worm from the Internet.
This copy of the worm is then executed.
The worm collects sensitive information when the user browses certain web sites.
The worm collects the following information:
The following services are affected:
- Google Play
The worm attempts to send gathered information to a remote machine.
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of URLs. The TCP protocol is used.
It can execute the following operations:
- monitor network traffic
- set up a proxy server
- open ports
- terminate running processes
- send unidentified fraud traffic to popular social networks
The worm opens TCP port 10073 .
The worm may execute a " DNS redirection " attack, which can cause redirection of network traffic to the attacker's web sites.
For further information follow the links below: