Adware:Linux/Multiverze!rfn

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Adware:Linux/Multiverze!rfn

Adware:Linux/Multiverze!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Adware:Linux/Multiverze!rfn

Classification:

Type:Adware

Platform:Linux

Family:Multiverze

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Adware - Displays unwanted advertisements for Linux platform, family Multiverze

Summary:

Adware:Linux/Multiverze!rfn is a concrete detection of adware on a Linux platform, likely designed to display unwanted advertisements and redirect user traffic. Intriguingly, it contains strings referencing Windows components like MSVBVM60.DLL and the Windows Run registry key, suggesting potential cross-platform capabilities or targeting of Windows environments running on Linux (e.g., via Wine). The adware attempts to communicate with external domains such as www.gpmce.net and www.booble.com, likely for ad delivery or command-and-control purposes.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - www.gpmce.net (PEHSTR_EXT)
 - www.booble.com (PEHSTR_EXT)
 - MSVBVM60.DLL (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - \n(<M (NID)
 - 1em\M (NID)
 - 2~oS\^ (SNID)
 - ^%+n~/ (SNID)
 - M/DFGL (SNID)
 - v4.`L+ (SNID)
 - \-a'f (SNID)
 - 82W9\yH (SNID)
 - i.L98& (SNID)
 - &/%#2 (SNID)
 - $B/OF (SNID)
 - l\I~@S\ (SNID)
 - /,Fs@~J8 (SNID)
 - \\5J' (SNID)
 - Qc3\x]fZ (SNID)
 - ~U5B-{/% (SNID)
 - :A /3 (SNID)
 - \)/*A (SNID)
 - YK"\} (SNID)
 - iDH.0 (SNID)
 - %a.VD (SNID)
 - HgCY\N (SNID)
 - .(K'u,% (SNID)
 - -$.l= (SNID)
 - qa>6ngd. (SNID)
 - vG.].4X (SNID)
 - }O$]/ (SNID)
 - ~,jN.v (SNID)
 - ;1\C4d (SNID)
 - 5{\%) (SNID)
 - `ksW. (SNID)
 - q`+H7H/ (SNID)
 - lp\M~ (SNID)
 - ;*\v{"7F7 (SNID)
 - 'H\z{ (SNID)
 - FkXA.:F+ (SNID)
 - EW/j-^ (SNID)
 - (t1dx. (SNID)
 - g/^IE (SNID)
 - /6[mt (SNID)
 - hk.j' (SNID)
 - mW\\q% (SNID)
 - 0YZ\. (SNID)
 - m.p<p (SNID)
 - PN.o$0 (SNID)
 - ,UP/' (SNID)
 - [/C`mH (SNID)
 - ?.O6T (SNID)
 - {@gW. (SNID)
 - TB"\Y (SNID)
 - |mO\V (SNID)
 - VcSX\ (SNID)
 - qz7P/! (SNID)
 - /Fgb$ (SNID)
 - jSo (SNID)
 - #-zW\ (SNID)
 - V\p'6 (SNID)
 - &._X" (SNID)
 - -6\1~||j7( (SNID)
 - -Ke/- (SNID)
 - .%Viq (SNID)
 - j/VXH_Y[ (SNID)
 - 8p^.O (SNID)
 - T`/+' (SNID)
 - XX<+m\ (SNID)
 - 7/w`5 (SNID)
 - \d:a0 (SNID)
 - 7B/DO (SNID)
 - >4/kL (SNID)
 - 'go/, (SNID)
 - IW\1# (SNID)
 - Xi\#E (SNID)
 - .OL5i\o (SNID)
 - N~.8g (SNID)
 - &a3$/= (SNID)
 - 5Qoi\U` (SNID)
 - =&j/3[ (SNID)
 - T6.:) (SNID)
 - RZZ.EM (SNID)
 - 8UTw\t1 (SNID)
 - W:\ty (SNID)
 - y1g/a (NID)
 - .JuUv (SNID)
 - KP9i. (SNID)
 - jSmHrat (SNID)
 - +)t/S (SNID)
 - R9'>/ (SNID)
 - /'SYR (SNID)
 - /" E. (SNID)
 -  Wy\t (SNID)
 - o/L}j (SNID)
 - ,.{pS7~ (SNID)
 - ;ZYJs~6 (SNID)
 - ;gL.:C (SNID)
 - "~ 1/ (SNID)
 - &/y D# (SNID)
 - d\^yy (SNID)
 - E?.cb (SNID)
 - 1-\\ULe (SNID)
 - 2/BFE (SNID)
 - I}/M7PH (SNID)
 - ZkO/_ (SNID)
 - K:.Wj2 (SNID)
 - Y_/Hr (SNID)
 - AjS (SNID)
 -  .\K; (SNID)
 - iu)@/ (SNID)
 - v;].QA{ (SNID)
 - G.q)d (SNID)
 - 4ggj\ (SNID)
 - \/<9M (SNID)
 - MxE2. (SNID)
 - V,@U/ (SNID)
 - \s=Tkz (SNID)
 - 9Oy/;EM (SNID)
 - l.gH3 (SNID)
 - \u|[{l (SNID)
 - o'H/X (SNID)
 - wCxj\ (SNID)
 - w52/Q (SNID)
 - w0N3(\ (SNID)
 - $o9.A (SNID)
 - \u:}N (SNID)
 - cYLY/ (SNID)
 - +E^lS;/ (SNID)
 - \&L'Sz (SNID)
 - DZ\%F (SNID)
 - '`gQ . (SNID)
 - /$2pW (SNID)
 - Xu._2 (SNID)
 - j.|z[ (SNID)
 - "'8\q# (SNID)
 - )ITG.7 (SNID)
 - TEZ4(6;/ (SNID)
 - G8\hY~`Y (SNID)
 - .d3lL> (SNID)
 - \/n}Usn(A (SNID)
 - 1Js (SNID)
 - "8C(/ (SNID)
 - MvU.V (SNID)
 - %JS (SNID)
 - hW.3, (SNID)
 - bK_7.& (SNID)
 - N,.96 (SNID)
 - k*Js$ (SNID)
 - .z _R (SNID)
 - 8+%/' (SNID)
 - 3w;/$ (SNID)
 - st.=#71 (SNID)
 - GOo/R] (SNID)
 - 1/',js (SNID)
 - /50hj (SNID)
 - y/Vxf (SNID)
 - ^jPFF. (SNID)
 - sb`\U (SNID)
 - t1r.[l (SNID)
 - Fci.N (SNID)
 - / /M) (SNID)
 - \AA=E (SNID)
 - Gg{/Q (SNID)
 - ]?/e*&t (SNID)
 - N/+RzG (SNID)
 - Tz3ch_. (SNID)
 - \q[VD (SNID)
 - Xvi9\ (SNID)
 - T/K%f (SNID)
 - s)Z/!z (SNID)
 - WF*/k (SNID)
 - e\HIn (SNID)
 - fqsv/ (SNID)
 - \\X*b (SNID)
 - _A%/e (SNID)
 - S;.>x (SNID)
 - Z!\I^ (SNID)
 - !PO.o (SNID)
 - \'KBjE (SNID)
 - N/KFv (SNID)
 - /mma; (SNID)
 - !X\Sn (SNID)
 - \C=g($ (SNID)
 - A\w/y` (SNID)
 - .{\wco (SNID)
 - 2h/TW (SNID)
 - "f`]WfR/c (SNID)
 - 0unFE.QL (SNID)
 - dlm\D (SNID)
 - <k/Z[ (SNID)
 - X,/MQ (SNID)
 - " .'< (SNID)
 - Kxk/^ (SNID)
 - kw\2E> (SNID)
 - /,KIb (SNID)
 - @d h/ (SNID)
 - n/i<2- (SNID)
 - GNy\# (SNID)
 - g.dLM (NID)
 - RCOM (NID)
 - <T.QM (NID)
 - OP|/I (SNID)
 - jsk (SNID)
 - vK.O] (SNID)
 - HS/b4 (SNID)
 - jsa (SNID)
 - /H[8&S (SNID)
 - va.0< (SNID)
 - !ugo\n (SNID)
 - \dtfa (NID)
 - DC\YLv (SNID)
 - 3n/?R (SNID)
 - -i"\~ (SNID)
 - qE/R}cg (SNID)
 - ]Y9G\ (SNID)
 - /G),[ (SNID)
 - \8*z! (SNID)
 - Ic3/x (SNID)
 - /#$h: (SNID)
 - :n0c/ (SNID)
 - jOnE. (SNID)
 - lz\@% (SNID)
 - h[.<$0c (SNID)
 - MgS0/\ (SNID)
 - un\EZ (SNID)
 - *.&-M (NID)
 - JSh (NID)
 - ye/:{ (SNID)
 - /cF(^ (SNID)
 - 9q/Ui (SNID)
 - .</RI (SNID)
 - 7.|}_-= (SNID)
 - 5wzb2/ (SNID)
 - Ka/]$ (SNID)
 - {.[Gw (SNID)
 - \vla= (SNID)
 - n. ^) (SNID)
 - 1&m.\$ (SNID)
 - v)/pA2 (SNID)
 - 8</:?e" (SNID)
 - \NkpIlC (SNID)
 - 'a[_. (SNID)
 - -j.J# (SNID)
 - \v&h,R (SNID)
 - <I\jn! (SNID)
 - Cr/oj# (SNID)
 - ;J\~F (SNID)
 - /O|)#p] (SNID)
 - \8.08 (SNID)
 - }[\jri (SNID)
 - j/dLI (SNID)
 - y?.p] (SNID)
 - r2/[E (SNID)
 - H\idS (SNID)
 - Rko.# (SNID)
 - >~.qd^ (SNID)
 - 0.vF< (SNID)
 - $\;qM (NID)
 - *.$Kw (SNID)
 - w/!x]Y (SNID)
 - 4.N5p (SNID)
 - ZbE\p (SNID)
 - 4esO-..p (SNID)
 - $/j+ g (SNID)
 - \{vOI (SNID)
 - scR (SNID)
 - ;2;/ac (SNID)
 - /Smi? (SNID)
 - \cH7,~ (SNID)
 - .]k.E> (SNID)
 - .p|hr> (SNID)
 - 0F.=^ (SNID)
 - jv.ij (SNID)
 - \3'%X (SNID)
 - \tTfj Z (SNID)
 - :P\8M (SNID)
 - ru/hn (SNID)
 - +t\86 (SNID)
 - 4B*J. (SNID)
 - {j\?N (SNID)
 - ..7IC (SNID)
 - Z\v:9T (SNID)
 - $hZ7Be/ (SNID)
 - z.0_\ (SNID)
 - /mt)&h (SNID)
 - \^k(B<3 (SNID)
 - @>=\AX (SNID)
 - YTv{'9. (SNID)
 - {JX&\ (SNID)
 - H/$;\( (SNID)
 - <4\7A6 (SNID)
 - /-mc_ (SNID)
 - zv_[/lH (SNID)
 - Ja8Lw.G@72 (SNID)
 - /+Cv) (SNID)
 - \f0zj (SNID)
 - 0r/6 V (SNID)
 - +P`uwLC.] (SNID)
 - vbS (SNID)
 - q3J/\ (SNID)
 - \%>G] (SNID)
 - %b+'.p& (SNID)
 - TeZNH.9 (SNID)
 - 0\\8@ (SNID)
 - wf1J\ (SNID)
 - 4d[q\ (SNID)
 - ; \@r (SNID)
 - \AJI;M (SNID)
 - ,h-/H (SNID)
 - #K@/2 (SNID)
 - /lp1Z@ (SNID)
 - Wc\;F (SNID)
 - T.?qfy (SNID)
 - -QAjJ/ (SNID)
 - 7\arKy (SNID)
 - Cb.-\ (SNID)
 - \8y<1 (SNID)
 - #e5/c4 (SNID)
 - 4~/!c (SNID)
 - w0{U|l/ (SNID)
 - Z~\bx@f (SNID)
 - D\FvxG (SNID)
 - Uy`\~ (SNID)
 - F\Y6`6 (SNID)
 - /4`@nS (SNID)
 - =/jW] (SNID)
 - \`.i9 (SNID)
 - tgy\C (SNID)
 - .yL"> (SNID)
 - R{t@. (SNID)
 - BXVo. (SNID)
 - /@_~; (SNID)
 - PE/b)]x2T (SNID)
 - .A[G< (SNID)
 - <BH/U (SNID)
 - +.XrV (SNID)
 - %?.,WY (SNID)
 - )/VE&?$ (SNID)
 - $$ 68/ (SNID)
 - .lz*$ZJ_B (SNID)
 - 4/(=-= (SNID)
 - ^N\kM (SNID)
 - ;\A(e@ (SNID)
 - \MLz8 (SNID)
 - Fz\YpiS% (SNID)
 - \'NI. (SNID)
 - >]._} (SNID)
 - nJs (SNID)
 - OAb3\ (SNID)
 - bkDP_\n (SNID)
 - =.P</ (SNID)
 - '.`n+p (SNID)
 - MM<.^ (SNID)
 - /_CFM (SNID)
 - \Xz^k (SNID)
 - #)].z (SNID)
 - \/~"j (SNID)
 - X m~. (SNID)
 - 2j>\M (NID)
 - \4;a: (SNID)
 - :.d{[} (SNID)
 - <*rZ\ (SNID)
 - ]Eb\| (SNID)
 - ;b/Xl (SNID)
 - /R&_h (SNID)
 - 0.;\c< (SNID)
 - .]$q.f (SNID)
 - fKt.!l (SNID)
 - EFP|b1,k.| (SNID)
 - /o~cS (SNID)
 - L/<{}f$ (SNID)
 - \)MKW (SNID)
 - I$._j:/ (SNID)
 - Gon.o (SNID)
 - :WBk. (SNID)
 - /F~8avl (SNID)
 - *.Y5I (SNID)
 - \Il`uk (SNID)
 - lrq8@.kb (SNID)
 - RYyL\b (SNID)
 - \~Xv  (SNID)
 - )\j|t (SNID)
 - &,TU. (SNID)
 - Vy(/# (SNID)
 - 6$\12/ (SNID)
 - JSn (SNID)
 - n5X?[Rw. (SNID)
 - 5.C>Y (SNID)
 - }/S41 (SNID)
 - "Y"S. (SNID)
 - m>m/S (SNID)
 - (V9/: (SNID)
 - V-..g (SNID)
 - js: (SNID)
 - ym",\\ (SNID)
 - dO;v\ (SNID)
 - \uZ!d (SNID)
 - u/Z,n (SNID)
 - Y\pUH (SNID)
 - 3f\$# (SNID)
 - .}rx  (SNID)
 - udqV. (SNID)
 - ${Q&. (SNID)
 - 4f\8l(4>a (SNID)
 - .k+:W% (SNID)
 - z7/!Q (SNID)
 - IV/*V:V (SNID)
 - J1"/  (SNID)
 - 4mg.) (SNID)
 - [\*{y (SNID)
 - \7l5(" (SNID)
 - Lc\wlm (SNID)
 - Sf\,Uo (SNID)
 - MS/B374 (SNID)
 - q7/r&X4 (SNID)
 - A&|#V. (SNID)
 - JcU\Rw (SNID)
 - ;r!=F/` Tx (SNID)
 - @\9F5 (SNID)
 - r</k= (SNID)
 - " w'-. (SNID)
 - =?[R. (SNID)
 - bcF)\ (SNID)
 - QFC\ H"* (SNID)
 - /f0oZ (SNID)
 - T\Eva (SNID)
 - %].0L (SNID)
 - js-N (SNID)
 - KlO/&R (SNID)
 - K_o\^ (SNID)
 - 79w.l (SNID)
 - axR/] (SNID)
 - "beO\v'ss (SNID)
 - .i+?5 (SNID)
 - )Qa_/ (SNID)
 - 0~!5/ (SNID)
 - :%Ui.C; (SNID)
 - :.eX%X (SNID)
 - `ve\Rc (SNID)
 - Xw.(n (SNID)
 - xN6Zs/ (SNID)
 - y/ule (SNID)
 - 5|B\e. (SNID)
 - M.$YT\ (SNID)
 - \a)rW (SNID)
 - fL.&C (SNID)
 - Lc/]M[ (SNID)
 - |W]\c (SNID)
 - /<)g9y (SNID)
 - 2%7.p#:.O& (SNID)
 - y/:{IT (SNID)
 - /kzCf% (SNID)
 - 4.N_< (SNID)
 - ;$z;n. (SNID)
 - /Qm>?L (SNID)
 - ve7>/n& (SNID)
 - f11Y.4 (SNID)
 - ujSS0aC (SNID)
 - BE\1~ (SNID)
 - .-LPNa (SNID)
 - \2km~ (SNID)
 - /NBWHO?| (SNID)
 - oV\]* (SNID)
 - JSV (SNID)
 - .DN,mG (SNID)
 - +.mg% (SNID)
 - H}<W/ (SNID)
 - dIjs (SNID)
 - &qkE. (SNID)
 - (c!\: (SNID)
 - T2\~' (SNID)
 - /fF1f  (SNID)
 - Y7Exe$8- (SNID)
 - <I){/7 (SNID)
 - /-/,HP`) (SNID)
 - v0.1< (SNID)
 - +vy.6{ (SNID)
 - Y\@1&BT (SNID)
 - @GI.y (SNID)
 - "h".KY (SNID)
 - dMJ./ (SNID)
 - yn(7. (SNID)
 - q#cqI/ (SNID)
 - m\"RH (SNID)
 - /o^@S (SNID)
 - PV%r\ (SNID)
 - ,\tV? (SNID)
 - n%\ # (SNID)
 - .W7c) (SNID)
 - *+S.W],g (SNID)
 - hV\=b (SNID)
 - /*^)W: (SNID)
 - 4%4!qb/) (SNID)
 - d\\+-Wl (SNID)
 - /A[F9 (SNID)
 - 54u.3 (SNID)
 - G\6fbLhS: (SNID)
 - 62S/U (SNID)
 - J~Wf.0 (SNID)
 - .%SP-M (SNID)
 - >JS (SNID)
 - UU\Wj (SNID)
 - /Vjr_j (SNID)
 - YG2\n (SNID)
 - ]/xDT (SNID)
 - \pDvw (SNID)
 - yE\)L (SNID)
 - "51\9 (SNID)
 - $^?bwy. (SNID)
 - F"E.L (SNID)
 - X/d.Z (SNID)
 - z\jJEeg (SNID)
 - \.,Cr (SNID)
 - '/xk% (SNID)
 - (.WI_ (SNID)
 - *:UU.BV_N (SNID)
 - [s#/N (SNID)
 - 7d\yz (SNID)
 - ";js0 (SNID)
 - gg.Z z (SNID)
 - 1k|WS8t. (SNID)
 - /l<=#" (SNID)
 - #Pr'. (SNID)
 - uJ2`\H (SNID)
 - DuuW+. (SNID)
 - l(\@L (SNID)
 - {_vQ. (SNID)
 - /G#kp (SNID)
 - )IJQ/ (SNID)
 - ;/_Vn (SNID)
 - "\gbJFL (SNID)
 - /BG3M<+ (SNID)
 - <I/A! (SNID)
 - 3Jr\;2 (SNID)
 - ;js (SNID)
 - fKDg.F (SNID)
 - "A\Zz` (SNID)
 - /4d5p (SNID)
 - KJs (SNID)
 - -w._Mmk (SNID)
 - 15&z. (SNID)
 - -f/d0KS" (SNID)
 - k)N/9 (SNID)
 - [/N0, (SNID)
 - ]\#AU, (SNID)
 - UxLc\ (SNID)
 - 1;S?{/ (SNID)
 - +CZ/NT (SNID)
 - >\?$i (SNID)
 - }jS (SNID)
 - JS/ (SNID)
 - 7 !// (SNID)
 - _Y44&/ (SNID)
 - A:@?\@ (SNID)
 - .""P, (SNID)
 - .(<gaA (SNID)
 - +c/\uhr (SNID)
 - A/<FkX (SNID)
 - \S^|= (SNID)
 - d.KQ_c (SNID)
 - cJsg (SNID)
 - Ct/z@ D (SNID)
 - Br.[Ny (SNID)
 - k7?.# (SNID)
 - Uje \ (SNID)
 - <a/urh (SNID)
 - x/7~N} (SNID)
 - xJs2 (SNID)
 - \4_,T< (SNID)
 - <21/Q (SNID)
 - -.3Zgr (SNID)
 - RJ0/8 (SNID)
 - PW.HL (SNID)
 - wX.XH (SNID)
 - }\IQ* (SNID)
 - p5/ea (SNID)
 -  }p{\4Q (SNID)
 - .F6LN (SNID)
 - t.}QN (SNID)
 - {;W6. (SNID)
 - }Js;) (SNID)
 - =*A.)sz3 (SNID)
 - bq:.u (SNID)
 - a\f:NY (SNID)
 - K\BP5 (SNID)
 - n?vF. (SNID)
 - *!h/N (SNID)
 - JS. (SNID)
 - tgW/vV (SNID)
 - \~JcI (SNID)
 - nLjs (SNID)
 - /KaO'Z (SNID)
 - \.$w~` (SNID)
 - .~B_$Bl (SNID)
 - 4/+7i (SNID)
 - 0Z[/Lam (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: poop

895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b

15/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the affected Linux system immediately. Perform a full system scan with updated antivirus/anti-malware software to detect and remove all associated malicious files and processes. Review recently installed applications, browser extensions, and system startup configurations for any suspicious entries, and monitor network traffic for connections to identified domains like www.gpmce.net. Ensure the operating system and all applications are fully patched and up-to-date.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 15/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Adware:Linux/Multiverze!rfn - Windows Defender Threat Analysis