Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.5748

Added to the Dr.Web virus database: 2023-10-08

Virus description added:

Technical Information

Malicious functions:
Gains root privileges
Removes the following system files:
  • /usr/bin/w
Launches processes:
  • /usr/bin/mawk awk {print 100 - $1\x22%\x22}
  • /usr/bin/mawk awk {printf $3}
  • su root -c cat >> /usr/bin/w << EOF\x0a##############\x0a## Merhaba; ##\x0a##############\x0a##====================================================##\x0a## Oncel
  • grep Special
  • tr -dc 123456789
  • /usr/sbin/xtables-nft-multi iptables -n -L
  • /usr/bin/mawk awk -F src NR==1{split($2,a,\x22 \x22);print a[1]}
  • bash -c source /tmp/549 <SAMPLE_FULL_PATH>
  • find /home/ -name Special
  • dig
  • bash -c cat >> /usr/bin/w << EOF\x0a##############\x0a## Merhaba; ##\x0a##############\x0a##====================================================##\x0a## Oncel
  • dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
  • grep 8.8.8.8
  • sed -i /127.0.0.1 ns1.google.com/d /etc/hosts
  • top -bn1
  • cp -r /root/HGMNetwork.v5 /usr/bin/HGMNetwork.v5
  • grep total
  • grep linuxkurulum
  • id -u
  • find . -name Special
  • cp -r /root/HGMNetworkv5 /usr/bin/HGMNetworkv5
  • clear
  • rm -rf /usr/bin/w
  • sudo iptables -n -L
  • sudo nohup sed -i 1inameserver 8.8.8.8 /etc/resolv.conf
  • chmod 777 /etc/alternatives/w
  • grep turascript
  • /usr/bin/mawk awk -F\x22 { print $2}
  • hostname
  • head -c8
  • sed s/\x5c /./g
  • /usr/bin/mawk awk -F ( |,|:)+ HGMNetwork_Uptime_Gun=0; HGMNetwork_Uptime_Saat=0; HGMNetwork_Uptime_Dakika=0; {if ($7==\x22min\x22) HGMNetwork_Uptime_Dakika=$6; else {if ($7~/^da
  • bash -c cat >> /etc/alternatives/w << EOF\x0a##############\x0a## Merhaba; ##\x0a##############\x0a##====================================================##\x0a## Oncel
  • ip route get 8.8.8.8
  • sed -i 1ialias w=\x22/usr/bin/w\x22 /root/.bashrc
  • chmod 777 /usr/bin/w
  • rm -rf /etc/alternatives/w
  • sleep 0.15
  • free -h
  • su root -c cat >> /var/lib/dpkg/alternatives/w << EOF\x0a##############\x0a## Merhaba; ##\x0a##############\x0a##====================================================##\x0a## Oncel
  • bash -c cat >> /var/lib/dpkg/alternatives/w << EOF\x0a##############\x0a## Merhaba; ##\x0a##############\x0a##====================================================##\x0a## Oncel
  • /usr/bin/mawk awk {printf $2}
  • sed -i 1inameserver 8.8.4.4 /etc/resolv.conf
  • grep Mem
  • rm -rf /usr/bin/HGMNetworkv5
  • tr -d \x22
  • /usr/bin/mawk awk {print $1 }
  • grep Cpu(s)
  • grep -qE ^(10\x5c.|172\x5c.1[6789]\x5c.|172\x5c.2[0-9]\x5c.|172\x5c.3[01]\x5c.|192\x5c.168)
  • grep -w NAME
  • grep alias w=\x22/usr/bin/w\x22
  • sudo nohup sed -i 1inameserver 8.8.4.4 /etc/resolv.conf
  • su root -c cat >> /etc/alternatives/w << EOF\x0a##############\x0a## Merhaba; ##\x0a##############\x0a##====================================================##\x0a## Oncel
  • df -h --total
  • sed -i 1inameserver 8.8.8.8 /etc/resolv.conf
  • nohup sed -i /127.0.0.1 github.com/d /etc/hosts
  • ping -c 1 -w 1 ns1.google.com
  • uname -r
  • sed s/\x5c-/ /g
  • nohup sed -i 1ialias w=\x22/usr/bin/w\x22 /root/.bashrc
  • grep 8.8.4.4
  • rm -rf /var/lib/dpkg/alternatives/w
  • cut -d= -f2
  • uptime -s
  • cat
  • cat /root/.bashrc
  • grep shot
  • grep regnum
  • grep tardis
  • nohup sed -i 1inameserver 8.8.4.4 /etc/resolv.conf
  • date +%d.%m
  • rm -rf /usr/bin/HGMNetwork.v5
  • cat /etc/os-release
  • /usr/bin/mawk awk {print $5}
  • chmod 777 /var/lib/dpkg/alternatives/w
  • sudo mkdir opensyss/
  • sudo nohup sed -i 1ialias w=\x22/usr/bin/w\x22 /root/.bashrc
  • grep Shot
  • whoami
  • head -c15
  • find /home/
  • nohup sed -i 1inameserver 8.8.8.8 /etc/resolv.conf
  • rm -rf Guvenlik.txt
  • find . -name Shot
  • find .
  • find /home/ -name shot
  • mkdir opensyss/
  • nohup sed -i /127.0.0.1 ns1.google.com/d /etc/hosts
  • /usr/bin/mawk awk {HGMNetwork_SunucuTarih=$1;$1=$NF;$NF=HGMNetwork_SunucuTarih}1
  • cat /etc/resolv.conf
  • sed -i /127.0.0.1 github.com/d /etc/hosts
  • sed s/.* *\x5c([0-9.]*\x5c)%* id.*/\x5c1/
  • find /opt/
  • uptime
  • head -c4
  • head -c11
  • date +%d.%m.%y
  • grep geoip
  • tr -dc 1234567890qwertQWERTasdfgASDFGzxcvbZXCVB
Kills the following processes:
  • dig
Performs operations with the file system:
Modifies file access rights:
  • /usr/bin/w
  • /var/lib/dpkg/alternatives/w
  • /etc/alternatives/w
Modifies file owner:
  • /etc/sedXr4IvB
  • /etc/sedUuHeLN
  • /root/sediRK6IQ
  • /etc/sed1TqQEk
  • /etc/sedzqyaWp
Creates folders:
  • /root/.config
  • /root/.config/procps
  • /etc/opensyss
Creates or modifies files:
  • /tmp/549
  • /etc/sedXr4IvB
  • /etc/sedUuHeLN
  • /proc/600/task/603/comm
  • /proc/600/task/604/comm
  • /proc/600/task/605/comm
  • /proc/617/task/619/comm
  • /proc/617/task/620/comm
  • /proc/617/task/621/comm
  • /usr/bin/w
  • /var/lib/dpkg/alternatives/w
  • /etc/alternatives/w
  • /root/sediRK6IQ
  • /etc/opensyss/Guvenlik.txt
  • /etc/sed1TqQEk
  • /etc/sedzqyaWp
Deletes files:
  • /tmp/549
Network activity:
Establishes connection:
  • 8.#.8.8:53
  • 8.#.4.4:53
  • 21#.#39.32.10:0
  • [2######60:4802:32::a]:0
  • 21#.##9.32.10:1025
  • (e##val)
DNS ASK:
  • ns#.#oogle.com
  • 10.##.##9.216.in-addr.arpa
Sends data to the following servers:
  • 127.0.0.1:51927
  • 8.#.8.8:53
  • 21#.#39.32.10
  • 127.0.0.1:48642
  • 21#.##9.32.10:53
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number