Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.3100

Added to the Dr.Web virus database: 2020-06-07

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/inittab
  • /var/spool/cron/crontabs/root
  • /etc/rc.local
Malicious functions:
Substitutes application name for:
  • l7dws18qi461cuhqba653vju
Modifies router settings:
  • /bin/nvram
Launches processes:
  • sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
  • sh -c crontab -r
  • sh -c crontab -l | grep <SAMPLE_FULL_PATH> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • crontab -r
  • cat /etc/inittab
  • grep <SAMPLE_FULL_PATH>
  • grep -v <SAMPLE_FULL_PATH>
  • crontab -l
  • grep -v no cron
  • sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
  • sh -c cat /etc/inittab2 > /etc/inittab
  • crontab -
  • cat /etc/inittab2
  • sh -c rm -rf /etc/inittab2
  • rm -rf /etc/inittab2
  • sh -c touch -acmr /bin/ls /etc/inittab
  • touch -acmr /bin/ls /etc/inittab
  • sh -c cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
  • sh -c /bin/uname -n
  • sh -c nvram get router_name
  • cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
  • /bin/uname -n
  • sh -c cat /etc/inittab | grep -v \"/dev/shm/<SAMPLE>\" > /etc/inittab2
  • sh -c crontab -l | grep /dev/shm/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • grep -v /dev/shm/<SAMPLE>
  • grep /dev/shm/<SAMPLE>
  • sh -c echo \"0:2345:respawn:/dev/shm/<SAMPLE>\" >> /etc/inittab2
  • sh -c cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
  • cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
  • sh -c cat /etc/inittab | grep -v \"/var/tmp/<SAMPLE>\" > /etc/inittab2
  • sh -c crontab -l | grep /var/tmp/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
  • grep /var/tmp/<SAMPLE>
  • grep -v /var/tmp/<SAMPLE>
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.BxqqDJ
  • /var/spool/cron/crontabs/tmp.5D6fq4
Creates or modifies files:
  • /tmp/.bawtz
  • /etc/inittab2
  • /var/spool/cron/crontabs/tmp.BxqqDJ
  • /dev/shm/<SAMPLE>
  • /var/spool/cron/crontabs/tmp.5D6fq4
  • /var/tmp/<SAMPLE>
Deletes files:
  • /etc/inittab2
Locks files:
  • /tmp/.bawtz
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:59000
Connects to the following servers over the IRC protocol:
  • Server: 51.##0.8.207; Command: NICK A5|e|0|2696672|unknown\nUSER muhstik localhost localhost :muhstik-11052018\n
  • Server: 51.##0.8.207; Command: PONG :683FD55F\n
  • Server: 51.##0.8.207; Command: MODE A5|e|0|2696672|unknown -xi\n
  • Server: 51.##0.8.207; Command: JOIN #ssh :8974\n
  • Server: 51.##0.8.207; Command: WHO A5|e|0|2696672|unknown\n

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number