Backdoor:Linux/Mirai!MSR - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:Linux/Mirai!MSR

Backdoor:Linux/Mirai!MSR - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:Linux/Mirai!MSR

Classification:

Type:Backdoor

Platform:Linux

Family:Mirai

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!MSR

High-priority threat flagged by Microsoft Security Response

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

This is a concrete detection of a Mirai variant backdoor targeting Linux systems, designed to turn compromised devices into bots for malicious activities like DDoS attacks. It leverages capabilities for remote command execution, SQL injection (likely for propagation), and communicates with command-and-control servers to download payloads and receive instructions.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - /ver.txt (PEHSTR_EXT)
 - /update.txt (PEHSTR_EXT)
 - http://%s:8888/ (PEHSTR_EXT)
 - \msinfo.exe (PEHSTR_EXT)
 - /delete /f /tn msinfo (PEHSTR_EXT)
 - //%s:8888/ups.rar (PEHSTR_EXT)
 - //%s:8888/wpd.dat (PEHSTR_EXT)
 - //%s:8888/wpdmd5.txt (PEHSTR_EXT)
 - //down2.b5w91.com:8443 (PEHSTR_EXT)
 - /shell?%s (PEHSTR_EXT)
 - ;exec sp_add_jobserver (PEHSTR_EXT)
 - ;EXEC sp_droplogin (PEHSTR_EXT)
 - ;exec(@a); (PEHSTR_EXT)
 - <sip:carol@chicago.com> (PEHSTR_EXT)
 - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT)
 - @shell INT EXEC SP_ (PEHSTR_EXT)
 - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT)
 - [ExecCode] (PEHSTR_EXT)
 - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT)
 - \Run','rundll32'; (PEHSTR_EXT)
 - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT)
 - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT)
 - C:\Progra~1\shengda&attrib (PEHSTR_EXT)
 - cmd3:[%s] (PEHSTR_EXT)
 - DROP ASSEMBLY ExecCode (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: i486

9a836af038f270dc26adad7a0ec58293c079cfdd9212db550cca495148aa6580

30/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the infected Linux device from the network. Perform a factory reset or reimage the device's operating system to ensure complete removal. Change all default and weak credentials. Patch all known vulnerabilities, especially for exposed services, and implement strong network segmentation and firewall rules to restrict external access to IoT devices.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 30/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:Linux/Mirai!MSR - Windows Defender Threat Analysis