The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Sep 23 2010 13:55 GMT
Released Sep 24 2010 15:47 GMT
Published Apr 05 2011 12:29 GMT

Technical Details
Removal instructions

Technical Details

This program is a conditionally malicious software granting super user privileges to the user on devices running Android operating system by exploiting a vulnerability in the security system (CVE-2009-1185).


This exploit program has to be placed in one of the directories to insure that it is launched:

Permissions are assigned to this file before it is launched.
- rwx r-x r-x


If the actual user ID identifier in the current process does not match the effective user ID in the current process, then the exploit attempts to assign "root" privileges to this process, and then deletes the following files:

Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message::
[-] execve
Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message:
[-] readlink
If the user ID has not been set for this file or if the effective user ID value equals "0" it will delete the content of this file:
It will then check for files:
If none of the files is found, it will display the following message: It then opens "mount", "fs_type" files and reads data required for mounting. Then it re-mounts the directory:
It then creates the directory
It copies its working directory to this directory and sets permissions for files:
It will input the following lines in the command line:
[*] Android local root exploid (C) The Android Exploid Crew
[*] Modified by shakalaca for various devices
Then one of the base directories is entered:
The following directory is set by default:
The following messages are then displayed in the command line:
[+] Using basedir=, path=

[+] opening NETLINK_KOBJECT_UEVENT socket
It deletes the files from the base directory:
It then creates these files and saves the information about the mounted device in these files as well as the information about the file system type for the following directory:
It creates a script that will reconnect the file system:
It then uses a vulnerability that exists during incorrect NETLINK messages processing, by enhancing "root" privileges for the current user (CVE-2009-1185). At the end it displays the following lines:
[*] Try to invoke hotplug now, clicking at the wireless
[*] settings, plugin USB key etc.
[*] You succeeded if you find /system/bin/rootshell.
[*] GUI might hang/restart meanwhile so be patient.
This exploit program may run on the following devices:
Google Nexus One (2.2)
Google G1 (1.6)
HTC Hero (2.1)
HTC Magic (1.5)
HTC Tattoo (1.6)
Dell Streak (2.1)
Motorola Milestone (2.1)
Motorola XT701
Motorola XT800 (2.1)
Motorola ME511
Motorola Charm
Motorola Droid (2.01/2.1/2.2 with FRG01B)
Sony Ericsson X10 (1.6)
Sony Ericsson X10 Mini (1.6)
Sony Ericsson X10 Mini Pro (1.6)
Acer Liquid (2.1)
Acer beTouch E400 (2.1)
Samsung Galaxy Beam
Samsung galaxy 5 (gt-i5500)
Vibo A688 (1.6)
Lenovo Lephone (1.6)
LG GT540 (1.6)
Gigabyte GSmart G1305

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original program file (its location will depend on how the program originally penetrated the victim machine).
  2. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 6ec31587f26b999013cb423c604db046
SHA1: 514c44835086d874342d9e3b8b10d5372d2e74e5

Bookmark and Share

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.


Exploit.Linux.Lotoor.b (Kaspersky Lab) is also known as:

  • Trojan: Exploit-Generic.src (McAfee)
  • Heuristics.Broken.Executable (ClamAV)
  • Exploit.Linux.Lotoor (Ikarus)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Exploit:Linux/DroidRooter.A [FSE] (FSecure)