Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.1577

Added to the Dr.Web virus database: 2019-04-12

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/init.d/netdns
  • /etc/init.d/.depend.boot
  • /etc/init.d/.depend.start
  • /etc/init.d/.depend.stop
Creates or modifies the following symlinks:
  • /etc/rc0.d/K01netdns
  • /etc/rc1.d/K01netdns
  • /etc/rc2.d/S01netdns
  • /etc/rc3.d/S01netdns
  • /etc/rc4.d/S01netdns
  • /etc/rc5.d/S01netdns
  • /etc/rc6.d/K01netdns
Malicious functions:
Launches itself as a daemon
Manages services:
  • systemctl enable netdns
  • /usr/sbin/update-rc.d netdns defaults
  • systemctl daemon-reload
Launches processes:
  • <SAMPLE_FULL_PATH> [kerberods]
  • /bin/bash -c chattr -i /usr/lib/systemd/system/netdns.service
  • chattr -i /usr/lib/systemd/system/netdns.service
  • /bin/bash -c chkconfig --add netdns
  • /bin/bash -c systemctl enable netdns
  • /sbin/insserv netdns
Performs operations with the file system:
Creates or modifies files:
  • /tmp/.X11unix
  • /usr/sbin/kerberods
  • /usr/lib/systemd/system/netdns.service
Locks files:
  • /tmp/.X11unix
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • [2########::f03c:91ff:fe70:2b9d]:9
  • 17#.#8.123.25:9
  • 19#.##8.218.0:8080
  • <LOCAL_GATE>:8080
  • 19#.##8.218.3:8080
  • 19#.##8.218.4:8080
  • 19#.##8.218.5:8080
  • 19#.##8.218.6:8080
  • 19#.##8.218.7:8080
  • 19#.##8.218.8:8080
  • 19#.##8.218.9:8080
  • <LOCAL_GATE>0:8080
  • <LOCAL_GATE>1:8080
  • <LOCAL_GATE>2:8080
  • <LOCAL_GATE>3:8080
  • <LOCAL_GATE>4:8080
  • <LOCAL_GATE>5:8080
  • <LOCAL_GATE>6:8080
  • <LOCAL_GATE>7:8080
  • <LOCAL_GATE>8:8080
  • <LOCAL_GATE>9:8080
  • 19#.##8.218.20:8080
  • 19#.##8.218.21:8080
  • 19#.##8.218.22:8080
  • 19#.##8.218.23:8080
  • 19#.##8.218.25:8080
  • 19#.##8.218.26:8080
  • 19#.##8.218.27:8080
  • 19#.##8.218.28:8080
  • 19#.##8.218.29:8080
  • 19#.##8.218.30:8080
  • 19#.##8.218.31:8080
  • 19#.##8.218.32:8080
  • 19#.##8.218.33:8080
  • 19#.##8.218.34:8080
  • 19#.##8.218.36:8080
  • 19#.##8.218.37:8080
  • 19#.##8.218.38:8080
  • 19#.##8.218.39:8080
  • 19#.##8.218.41:8080
  • 19#.##8.218.42:8080
  • 19#.##8.218.43:8080
  • 19#.##8.218.44:8080
  • 19#.##8.218.45:8080
  • 19#.##8.218.46:8080
  • 19#.##8.218.48:8080
  • 19#.##8.218.49:8080
  • 19#.##8.218.50:8080
  • 19#.##8.218.51:8080
  • 19#.##8.218.53:8080
  • 19#.##8.218.54:8080
  • 19#.##8.218.57:8080
  • 19#.##8.218.56:8080
  • 19#.##8.218.58:8080
  • 19#.##8.218.59:8080
  • 19#.##8.218.60:8080
  • 19#.##8.218.61:8080
  • 19#.##8.218.62:8080
  • 19#.##8.218.63:8080
  • 19#.##8.218.64:8080
  • 19#.##8.218.65:8080
  • 19#.##8.218.66:8080
  • 19#.##8.218.67:8080
  • 19#.##8.218.68:8080
  • 19#.##8.218.69:8080
  • 19#.##8.218.70:8080
  • 19#.##8.218.71:8080
  • 19#.##8.218.72:8080
  • 19#.##8.218.73:8080
  • 19#.##8.218.74:8080
  • 19#.##8.218.75:8080
  • 19#.##8.218.76:8080
  • 19#.##8.218.99:8080
  • 19#.##8.218.78:8080
  • 19#.##8.218.79:8080
  • 19#.##8.218.80:8080
  • 19#.##8.218.81:8080
  • 19#.##8.218.82:8080
  • 19#.##8.218.83:8080
  • 19#.##8.218.84:8080
  • 19#.##8.218.85:8080
  • 19#.##8.218.86:8080
  • 19#.##8.218.87:8080
  • 19#.##8.218.88:8080
  • 19#.##8.218.89:8080
  • 19#.##8.218.90:8080
  • 19#.##8.218.91:8080
  • 19#.##8.218.92:8080
  • 19#.##8.218.93:8080
  • 19#.##8.218.94:8080
  • 19#.##8.218.95:8080
  • 19#.##8.218.96:8080
  • 19#.##8.218.97:8080
  • 19#.##8.218.98:8080
  • 19#.##8.218.77:8080
  • 19#.##8.218.2:8080
  • 19#.##8.218.24:8080
  • 19#.##8.218.35:8080
  • 19#.##8.218.40:8080
  • 19#.##8.218.47:8080
  • 19#.##8.218.52:8080
  • 19#.##8.218.55:8080
  • <LOCAL_GATE>00:8080
  • <LOCAL_GATE>01:8080
  • <LOCAL_GATE>02:8080
  • <LOCAL_GATE>03:8080
  • <LOCAL_GATE>04:8080
  • <LOCAL_GATE>05:8080
  • <LOCAL_GATE>06:8080
  • <LOCAL_GATE>07:8080
  • <LOCAL_GATE>08:8080
  • <LOCAL_GATE>09:8080
  • <LOCAL_GATE>10:8080
  • <LOCAL_GATE>11:8080
  • <LOCAL_GATE>12:8080
  • <LOCAL_GATE>13:8080
  • <LOCAL_GATE>14:8080
  • <LOCAL_GATE>15:8080
  • <LOCAL_GATE>16:8080
  • <LOCAL_GATE>17:8080
  • <LOCAL_GATE>18:8080
  • <LOCAL_GATE>19:8080
  • <LOCAL_GATE>20:8080
  • <LOCAL_GATE>21:8080
  • <LOCAL_GATE>22:8080
  • <LOCAL_GATE>23:8080
  • <LOCAL_GATE>24:8080
  • <LOCAL_GATE>26:8080
  • <LOCAL_GATE>25:8080
  • <LOCAL_GATE>27:8080
  • <LOCAL_GATE>28:8080
  • <LOCAL_GATE>29:8080
  • <LOCAL_GATE>30:8080
  • <LOCAL_GATE>31:8080
  • <LOCAL_GATE>32:8080
  • <LOCAL_GATE>33:8080
  • <LOCAL_GATE>34:8080
  • <LOCAL_GATE>35:8080
  • <LOCAL_GATE>36:8080
  • <LOCAL_GATE>37:8080
  • <LOCAL_GATE>38:8080
  • <LOCAL_GATE>39:8080
  • <LOCAL_GATE>40:8080
  • <LOCAL_GATE>41:8080
  • <LOCAL_GATE>42:8080
  • <LOCAL_GATE>43:8080
  • <LOCAL_GATE>44:8080
  • <LOCAL_GATE>45:8080
  • <LOCAL_GATE>46:8080
  • <LOCAL_GATE>47:8080
  • <LOCAL_GATE>48:8080
  • <LOCAL_GATE>49:8080
  • <LOCAL_GATE>50:8080
  • <LOCAL_GATE>51:8080
  • <LOCAL_GATE>52:8080
  • <LOCAL_GATE>53:8080
  • <LOCAL_GATE>56:8080
  • <LOCAL_GATE>57:8080
  • <LOCAL_GATE>58:8080
  • <LOCAL_GATE>59:8080
  • <LOCAL_GATE>60:8080
  • <LOCAL_GATE>61:8080
  • <LOCAL_GATE>62:8080
  • <LOCAL_GATE>63:8080
  • <LOCAL_GATE>64:8080
  • <LOCAL_GATE>65:8080
  • <LOCAL_GATE>54:8080
  • <LOCAL_GATE>55:8080
  • <LOCAL_GATE>66:8080
  • <LOCAL_GATE>67:8080
  • <LOCAL_GATE>68:8080
  • <LOCAL_GATE>69:8080
  • <LOCAL_GATE>70:8080
  • <LOCAL_GATE>71:8080
  • <LOCAL_GATE>72:8080
  • <LOCAL_GATE>73:8080
  • <LOCAL_GATE>74:8080
  • <LOCAL_GATE>75:8080
  • <LOCAL_GATE>76:8080
  • <LOCAL_GATE>77:8080
  • <LOCAL_GATE>78:8080
  • <LOCAL_GATE>79:8080
  • <LOCAL_GATE>80:8080
  • <LOCAL_GATE>81:8080
  • <LOCAL_GATE>82:8080
  • <LOCAL_GATE>83:8080
  • <LOCAL_GATE>84:8080
  • <LOCAL_GATE>86:8080
  • <LOCAL_GATE>87:8080
  • <LOCAL_GATE>88:8080
  • <LOCAL_GATE>90:8080
  • <LOCAL_GATE>91:8080
  • <LOCAL_GATE>92:8080
  • <LOCAL_GATE>93:8080
  • <LOCAL_GATE>94:8080
  • <LOCAL_GATE>85:8080
  • <LOCAL_GATE>89:8080
  • <LOCAL_GATE>95:8080
  • <LOCAL_GATE>96:8080
  • <LOCAL_GATE>97:8080
  • <LOCAL_GATE>98:8080
  • <LOCAL_GATE>99:8080
  • 19#.###.218.200:8080
  • 19#.###.218.202:8080
  • 19#.###.218.201:8080
  • 19#.###.218.203:8080
  • 19#.###.218.204:8080
  • 19#.###.218.205:8080
  • 19#.###.218.206:8080
  • 19#.###.218.207:8080
  • 19#.###.218.208:8080
  • 19#.###.218.209:8080
  • 19#.###.218.211:8080
  • 19#.###.218.210:8080
  • 19#.###.218.212:8080
  • 19#.###.218.213:8080
  • 19#.###.218.214:8080
  • 19#.###.218.215:8080
  • 19#.###.218.216:8080
  • 19#.###.218.217:8080
  • 19#.###.218.218:8080
  • 19#.###.218.219:8080
  • 19#.###.218.220:8080
  • 19#.###.218.221:8080
  • 19#.###.218.222:8080
  • 19#.###.218.223:8080
  • 19#.###.218.224:8080
  • 19#.###.218.225:8080
  • 19#.###.218.226:8080
  • 19#.###.218.227:8080
  • 19#.###.218.228:8080
  • 19#.###.218.229:8080
  • 19#.###.218.230:8080
  • 19#.###.218.231:8080
  • 19#.###.218.232:8080
  • 19#.###.218.233:8080
  • 19#.###.218.234:8080
  • 19#.###.218.235:8080
  • 19#.###.218.236:8080
  • 19#.###.218.237:8080
  • 19#.###.218.238:8080
  • 19#.###.218.239:8080
  • 19#.###.218.240:8080
  • 19#.###.218.241:8080
  • 19#.###.218.242:8080
  • 19#.###.218.243:8080
  • 19#.###.218.244:8080
  • 19#.###.218.245:8080
  • 19#.###.218.246:8080
  • 19#.###.218.247:8080
  • 19#.###.218.248:8080
  • 19#.###.218.249:8080
  • 19#.###.218.250:8080
  • 19#.###.218.251:8080
  • 19#.###.218.252:8080
  • 19#.###.218.254:8080
  • 19#.###.218.253:8080
  • 19#.###.218.255:8080
  • 95.##1.0.0:8080
  • 95.##1.0.1:8080
  • 95.##1.0.2:8080
  • 95.##1.0.3:8080
  • 95.##1.0.4:8080
  • 95.##1.0.5:8080
  • 95.##1.0.6:8080
  • 95.##1.0.7:8080
  • 95.##1.0.8:8080
  • 95.##1.0.9:8080
  • 95.###.0.10:8080
  • 95.###.0.11:8080
  • 95.###.0.12:8080
  • 95.###.0.13:8080
  • 95.###.0.14:8080
  • 95.###.0.15:8080
  • 95.###.0.16:8080
  • 95.###.0.18:8080
  • 95.###.0.17:8080
  • 95.###.0.19:8080
  • 95.###.0.20:8080
  • 95.###.0.21:8080
  • 95.###.0.22:8080
  • 95.###.0.23:8080
  • 95.###.0.24:8080
  • 95.###.0.25:8080
  • 95.###.0.26:8080
  • 95.###.0.27:8080
  • 95.###.0.28:8080
  • 95.###.0.29:8080
  • 95.###.0.30:8080
  • 95.###.0.31:8080
  • 95.###.0.32:8080
  • 95.###.0.33:8080
  • 95.###.0.34:8080
  • 95.###.0.35:8080
  • 95.###.0.36:8080
  • 95.###.0.37:8080
  • 95.###.0.38:8080
  • 95.###.0.39:8080
  • 95.###.0.40:8080
  • 95.###.0.41:8080
  • 95.###.0.42:8080
  • 95.###.0.43:8080
  • 95.###.0.44:8080
  • 95.###.0.45:8080
  • 95.###.0.46:8080
  • 95.###.0.47:8080
  • 95.###.0.48:8080
  • 95.###.0.49:8080
  • 95.###.0.50:8080
  • 95.###.0.51:8080
  • 95.###.0.52:8080
  • 95.###.0.53:8080
  • 95.###.0.55:8080
  • 95.###.0.54:8080
  • 95.###.0.56:8080
  • 95.###.0.57:8080
  • 95.###.0.58:8080
  • 95.###.0.59:8080
  • 95.###.0.60:8080
  • 95.###.0.61:8080
  • 95.###.0.62:8080
  • 95.###.0.63:8080
  • 95.###.0.64:8080
  • 95.###.0.70:8080
  • 95.###.0.71:8080
  • 95.###.0.72:8080
  • 95.###.0.73:8080
  • 95.###.0.74:8080
  • 95.###.0.75:8080
  • 95.###.0.76:8080
  • 95.###.0.77:8080
  • 95.###.0.78:8080
  • 95.###.0.79:8080
  • 95.###.0.80:8080
  • 95.###.0.83:8080
  • 95.###.0.84:8080
  • 95.###.0.85:8080
  • 95.###.0.86:8080
  • 95.###.0.87:8080
  • 95.###.0.88:8080
  • 95.###.0.90:8080
  • 95.###.0.92:8080
  • 95.###.0.89:8080
  • 95.###.0.91:8080
  • 95.###.0.95:8080
  • 95.###.0.97:8080
  • 95.###.0.98:8080
  • 95.###.0.94:8080
HTTP GET requests:
  • id##t.me/
DNS ASK:
  • id##t.me
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040