JavaScript support is required for our site to be fully operational in your browser.
Linux.Siggen.2101
Added to the Dr.Web virus database:
2019-08-21
Virus description added:
2019-08-21
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
/var/spool/cron/crontabs/root
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
Launches processes:
sh -c
bash
base64 -d
xargs fuser -k
find /root/.ddg/*
fuser -k
xargs chattr -i
find /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/crontab /etc/cron.weekly
chattr -i /etc/cron.d /etc/cron.d/.placeholder /etc/cron.daily /etc/cron.daily/passwd /etc/cron.daily/aptitude /etc/cron.daily/mlocate /etc/cron.daily/logrotate /etc/cron.daily/apt /etc/cron.daily/bsdmainutils /etc/cron.daily/.placeholder /etc/cron.daily/dpkg /etc/cron.daily/man-db /etc/cron.daily/exim4-base /etc/cron.hourly /etc/cron.hourly/.placeholder /etc/cron.monthly /etc/cron.monthly/.placeholder /etc/crontab /etc/cron.weekly /etc/cron.weekly/.placeholder /etc/cron.weekly/man-db
xargs rm -f
cut -f 1 -d :
grep -RE (wget|curl) /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
rm -f
find /var/spool/cron
chattr -i /var/spool/cron /var/spool/cron/atjobs /var/spool/cron/atjobs/.SEQ /var/spool/cron/atspool /var/spool/cron/crontabs
xargs sed -i /wget\|curl\|tmp00\|update.sh\|\/upd\|firefoxcatche\|X13-unix/d
grep -RE (wget|curl|tmp00|upd|X13) /var/spool/cron
sed -i /wget\|curl\|tmp00\|update.sh\|\/upd\|firefoxcatche\|X13-unix/d
grep -RE REDIS00 /var/spool/cron
crontab -l
sed /wget/d
sed /curl/d
sed /tmp00/d
sed /\upd/d
sed /X13/d
sed /firefoxcatche/d
crontab -
pkill -9 -f sleep|kworkre|kwroker|crun|watchog|watchbog|watchbug|pastebin
pkill -9 -f 8220|aegis_|AliHids|AliYunDun|aliyun-service|azipl|cr.sh|cronds|crun|cryptonight|ddgs|fs-manager|finJG|havegeds|hashfish|hwlh3wlh44lh|HT8s|java-c|kerberods|khugepageds|kintegrityds|kpsmouseds|kthrotlds|kworkerds|kworkre|kwroker|mewrs|miner|mr.sh|muhsti|mygit|networkservice|orgfs|pastebin|qW3xT|qwefdas|stratum|sustes|sustse|sysguard|t00ls|thisxxs|/tmp/ddgs|/tmp/java|/tmp/udevs|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|X13-unix|zer0
rm -rf /root/.wget-* /root/.tmp00 /tmp/.X13-unix
grep -q rapid7 /etc/hosts
grep -q aptget /etc/hosts
grep -q tor2we /etc/hosts
Kills the following processes:
Performs operations with the file system:
Modifies file access rights:
/var/spool/cron/crontabs/tmp.oltAFq
Creates or modifies files:
/tmp/.X1M-unix
/var/spool/cron/crontabs/tmp.oltAFq
Locks files:
Other:
Collects CPU information
Collects RAM information
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK