Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.2016

Added to the Dr.Web virus database: 2019-07-21

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • -1
  • lipupr
  • lomg
  • java
Modifies firewall settings:
  • iptables -F
Launches processes:
  • sh -c chattr -R -i /tmp/* ; rm -rf /tmp/.* ; rm -rf /tmp/* ; crontab -r ; for i in `atq | awk '{print $1}'`; do atrm $i; done ; rm -rf /dev/shm/* ; rm -rf /dev/shm/* ; rm -rf /var/tmp/* ; rm -rf /var/tmp/.* ; chattr -R -i /var/spool/*/* ; rm -rf /var/spool/*/*/* ; mkdir /tmp ; >/dev/null 2>&1
  • chattr -R -i /tmp/*
  • rm -rf /tmp/. /tmp/.. /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix
  • rm -rf /tmp/*
  • crontab -r
  • atq
  • awk {print $1}
  • rm -rf /dev/shm/*
  • sh -c iptables -F ; iptables-save >/dev/null 2>&1
  • rm -rf /var/tmp/*
  • rm -rf /var/tmp/. /var/tmp/..
  • chattr -R -i /var/spool/cron/atjobs /var/spool/cron/atspool /var/spool/cron/crontabs /var/spool/exim4/db /var/spool/exim4/input /var/spool/exim4/msglog
  • sh -c /root/exesbr
  • /root/exesbr
  • rm -rf /var/spool/exim4/input/1ahTzp-0002FZ-0L-D /var/spool/exim4/input/1ahUKa-0002Fm-0o-D
  • mkdir /tmp
  • iptables-save
  • sh -c chattr -R -i /tmp/* ; rm -rf /tmp/.* ; rm -rf /tmp/* ; for i in `atq | awk '{print $1}'`; do atrm $i; done ; rm -rf /dev/shm/* ; rm -rf /dev/shm/* ; rm -rf /var/tmp/* ; rm -rf /var/tmp/.* ; chattr -R -i /var/spool/*/* ; rm -rf /var/spool/*/*/* ; >/dev/null 2>&1
  • rm -rf /tmp/. /tmp/..
  • sh -c /root/lomg lomg
  • /root/lomg lomg
  • sh -c /root/iilkqr xjwu
  • /root/iilkqr xjwu
  • sh -c /root/nskvsrpn
  • /root/nskvsrpn
Kills system processes:
  • sshd
Kills the following processes:
  • run.sh
  • bash
  • systemd
  • (sd-pam)
  • /bin/sh
  • /bin/rm
Performs operations with the file system:
Modifies file access rights:
  • /usr/bin/wget
  • /dev/urandom
  • /usr/bin/perl
  • /usr/bin/python3.4
  • /usr/bin/python2.7
  • /usr/bin/mawk
  • /usr/bin/xargs
  • /bin/sed
  • /root/exesbr
  • /usr/bin/crontab
  • /usr/bin/at
  • /root/lomg
  • /root/iilkqr
  • /root/nskvsrpn
Creates or modifies files:
  • /root/exesbr
  • /root/lomg
  • /root/iilkqr
  • /root/p
  • /root/nskvsrpn
Deletes files:
  • /tmp/*
  • /dev/shm/*
  • /var/tmp/*
  • /var/spool/exim4/input/1ahTzp-0002FZ-0L-D
  • /usr/bin/at
  • /root/iilkqr
  • /root/p
Network activity:
HTTP GET requests:
  • 18#.##5.169.6/jp/jj
  • 16#.##.69.25/j/fst
  • 16#.##.69.25/j/jrd
  • 16#.##.69.25/j/lmmml

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040