FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.Siggen.2712

Added to the Dr.Web virus database: 2020-04-23

Virus description added: 2020-04-22

Technical Information

Malicious functions:

Launches itself as a daemon

Substitutes application name for:

[kworker/Z69:0]

Modifies firewall settings:

iptables -F

Manages services:

systemctl -p CanReload show cron.service
systemctl -p LoadState show cron.service
/bin/systemctl start cron.service

Launches processes:

/bin/sh -c iptables -F >/dev/null 2>&1
/bin/sh -c /etc/init.d/cron start >/dev/null 2>&1
/etc/init.d/cron start
run-parts --lsbsysinit --list /lib/lsb/init-functions.d
readlink -f /etc/init.d/cron
/bin/sh -c /etc/init.d/crond start >/dev/null 2>&1
/etc/init.d/crond start
/bin/sh -c crontab -l > ADDbdC
crontab -l
/bin/sh -c cp /etc/init.d
cp /etc/init.d

Kills system processes:

sshd

Kills the following processes:

dhclient
atd
systemd-logind
exim4
systemd
kworker/u2:1

Performs operations with the file system:

Creates or modifies files:

/root/ADDbdC

Deletes files:

/var/spool/cron/ADDbdC

Network activity:

Awaits incoming connections on ports:

0.0.0.0:9178

Establishes connection:

8.#.8.8:53
37.##.226.209:28344
37.##.226.209:9991

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number