Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.2118

Added to the Dr.Web virus database: 2019-08-26

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/inittab
  • /var/spool/cron/crontabs/root
  • /etc/rc.local
Malicious functions:
Substitutes application name for:
  • 72ljbvhibgq252hitsv2
Modifies router settings:
  • /bin/nvram
Launches processes:
  • sh -c crontab -l | grep <SAMPLE_FULL_PATH> || (crontab -l ; echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • sh -c crontab -r
  • sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
  • crontab -r
  • cat /etc/inittab
  • crontab -l
  • grep <SAMPLE_FULL_PATH>
  • grep -v <SAMPLE_FULL_PATH>
  • sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
  • crontab -
  • sh -c cat /etc/inittab2 > /etc/inittab
  • cat /etc/inittab2
  • sh -c rm -rf /etc/inittab2
  • rm -rf /etc/inittab2
  • sh -c touch -acmr /bin/ls /etc/inittab
  • touch -acmr /bin/ls /etc/inittab
  • sh -c cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
  • sh -c /bin/uname -n
  • sh -c nvram get router_name
  • cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
  • /bin/uname -n
  • sh -c cat /etc/inittab | grep -v \"/dev/shm/<SAMPLE>\" > /etc/inittab2
  • sh -c crontab -l | grep /dev/shm/<SAMPLE> || (crontab -l ; echo \"* * * * * /dev/shm/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • grep -v /dev/shm/<SAMPLE>
  • grep /dev/shm/<SAMPLE>
  • sh -c echo \"0:2345:respawn:/dev/shm/<SAMPLE>\" >> /etc/inittab2
  • sh -c cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
  • cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
  • sh -c cat /etc/inittab | grep -v \"/var/tmp/<SAMPLE>\" > /etc/inittab2
  • sh -c crontab -l | grep /var/tmp/<SAMPLE> || (crontab -l ; echo \"* * * * * /var/tmp/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • grep -v /var/tmp/<SAMPLE>
  • grep /var/tmp/<SAMPLE>
  • sh -c echo \"0:2345:respawn:/var/tmp/<SAMPLE>\" >> /etc/inittab2
  • sh -c cp -f <SAMPLE_FULL_PATH> /var/lock/<SAMPLE>
  • cp -f <SAMPLE_FULL_PATH> /var/lock/<SAMPLE>
  • sh -c cat /etc/inittab | grep -v \"/var/lock/<SAMPLE>\" > /etc/inittab2
  • sh -c crontab -l | grep /var/lock/<SAMPLE> || (crontab -l ; echo \"* * * * * /var/lock/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • grep -v /var/lock/<SAMPLE>
  • grep /var/lock/<SAMPLE>
  • sh -c echo \"0:2345:respawn:/var/lock/<SAMPLE>\" >> /etc/inittab2
  • sh -c cp -f <SAMPLE_FULL_PATH> /var/run/<SAMPLE>
  • cp -f <SAMPLE_FULL_PATH> /var/run/<SAMPLE>
  • sh -c cat /etc/inittab | grep -v \"/var/run/<SAMPLE>\" > /etc/inittab2
  • sh -c crontab -l | grep /var/run/<SAMPLE> || (crontab -l ; echo \"* * * * * /var/run/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • grep /var/run/<SAMPLE>
  • grep -v /var/run/<SAMPLE>
  • sh -c echo \"0:2345:respawn:/var/run/<SAMPLE>\" >> /etc/inittab2
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.YDX5AL
  • /var/spool/cron/crontabs/tmp.6rwBLF
  • /var/spool/cron/crontabs/tmp.dtgU7m
  • /var/spool/cron/crontabs/tmp.b3f5ai
Creates or modifies files:
  • /tmp/.bawtz
  • /etc/inittab2
  • /var/spool/cron/crontabs/tmp.YDX5AL
  • /dev/shm/<SAMPLE>
  • /var/spool/cron/crontabs/tmp.6rwBLF
  • /var/tmp/<SAMPLE>
  • /var/spool/cron/crontabs/tmp.dtgU7m
  • /var/lock/<SAMPLE>
  • /run/lock/<SAMPLE>
  • /var/spool/cron/crontabs/tmp.b3f5ai
  • /var/run/<SAMPLE>
  • /run/<SAMPLE>
  • /var/spool/cron/crontabs/tmp.zOmjMZ
Deletes files:
  • /etc/inittab2
Locks files:
  • /tmp/.bawtz
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:59000
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 18#.##.137.56:2407
Connects to the following servers over the IRC protocol:
  • Server: 18#.#2.137.56; Command: NICK A6|WEBM|0|5684000|unknown\nUSER muhstik localhost localhost :muhstik-11052018\n
  • Server: 18#.#2.137.56; Command: PONG :903674C9\n
  • Server: 18#.#2.137.56; Command: PONG :F49EF196\n
  • Server: 18#.#2.137.56; Command: PONG :2B889EA5\n
  • Server: 18#.#2.137.56; Command: PONG :F1404C5C\n
  • Server: 18#.#2.137.56; Command: PONG :2E4EEBB6\n
DNS ASK:
  • w.######hland-zahlung.net

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number