Hi everybody!,
I was also experiencing the same issues running latest Xubuntu LTE, updated.
I also noted problems with my internet connection (DNS failures, low response).
The offending task could have several names (systemctl, sleep, ibus-x11, ...). There was (of course) a main task monitoring the system and reopening the CPU angry one.
Running "top", even if renamed, made the child task kill itself. The only way to see the task running was through task manager.
If you deleted the offending files they would reapear.
So... Grabbed my Holmes hat, my House cane, and this is what I have found.
This autostart file seems to have the code that makes the virus run at startup:
Code:
~/.config/autostart/dbus-daemon.desktop
The exec code line:
Code:
Exec=/home/(your username)/.local/share/accounts/services/dbus-daemon
This files seems to have the code to make the virus gain privileges:
~/.profile
~/.bashrc
~/.bash_profile
The code:
Code:
linux_bash="$HOME/(the path seems to be different, according to dissemination)"
if [ -e "$linux_bash" ];then
setsid "$linux_bash" 2>&1 & disown
fi
Since this files had a timestamp of 20:33, I searched for all files modified right after (there were a few more but I already deleted them for test purposes):
dom 20 jan 2019 20:33:19 WET ./.bash_profile
dom 20 jan 2019 20:33:19 WET ./.bashrc
dom 20 jan 2019 20:33:19 WET ./.config/autostart/dbus-daemon.desktop
dom 20 jan 2019 20:33:19 WET ./.profile
dom 20 jan 2019 20:33:19 WET ./.local/share/accounts/services/.dbus-daemon.bin
dom 20 jan 2019 20:33:19 WET ./.local/share/icc/.icc-daemon.bin
dom 20 jan 2019 20:33:19 WET ./.local/share/icc/.icc-daemon.log
dom 20 jan 2019 20:33:24 WET ./.kodi/addons/script.module.python.requests/lib/requests/packages/urllib3/connectionpool.py
dom 20 jan 2019 20:34:06 WET ./.local/share/accounts/services/.dbus-daemon.sys
dom 20 jan 2019 20:34:08 WET ./.local/share/icc/icc-daemon
dom 20 jan 2019 20:34:08 WET ./.local/share/icc/.icc-daemon.sys
dom 20 jan 2019 20:34:44 WET ./.local/share/accounts/services/dbus-daemon
The dissemination seems to create 3 files:
One timestamp
One base64 lookalike
The offending script
What I've done:
1- Delete autostart file;
2- Delete offending code from ~/.profile, ~/.bashrc, ~/.bash_profile
3- Delete all dissemination files
3- Empty ~/.cache folder
4- Empty /tmp folder
5- Restarted
I don't know what this virus does. I did save the HEX file if someone wants to inspect any further.
As I don't know how my machine got infected, (that Kodi urllib3 file looks suspicious!) I can't guarantee this is a final solution, though all seems OK now...
I will keep my system in check the next few days to see if this was all there was.
I hope this helps someone.
Forgive my poor English...