January 19, 2016
Once launched, Linux.Ekoms.1 checks whether one of subfolders in the home directory contains files with specified names. If it fails to find any, it randomly chooses a subfolder to save its own copy there. Then, the Trojan is launched from new location. If successful, the malicious program establishes connection to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted.
Every 30 seconds the Trojan takes a screenshot and saves it to a temporal folder in the JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is downloaded to the server in specified intervals.
One of system threads created by the Trojan generates a filtering list for the "aa*.aat", "dd*ddt", "kk*kkt", "ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the executable file from the server, saves it to the temporary folder and runs it. Moreover, the Trojan can download and save a number of other files.
Along with the ability of screenshot taking, the Trojan’s code contains a special feature to record sound and save it as the .aat file in the WAV format. However, in fact, this feature is not used anywhere. The entry for Linux.Ekoms.1 was added to the Dr.Web virus databases. Therefore, this malicious program poses no threat to our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.