Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.6534

Added to the Dr.Web virus database: 2024-02-04

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
  • /root/.ssh/id_rsa
  • /root/.ssh/id_rsa/.ssh/id_ed25519
  • /root/.ssh/id_rsa/.ssh/id_ed25519/.ssh/id_dsa
  • /home/user/.ssh/id_rsa
  • /home/user/.ssh/id_rsa/.ssh/id_ed25519
  • /home/user/.ssh/id_rsa/.ssh/id_ed25519/.ssh/id_dsa
Substitutes application name for:
  • pogotygd
  • copoysco
Launches processes:
  • ufw allow 41297
  • firewall-cmd --permanent --add-port 41297/tcp
  • lscpu
  • (crontab -l; printf \x27@reboot <SAMPLE_FULL_PATH> noa\x0a\x27) | crontab -
  • /usr/sbin/xtables-nft-multi iptables -I OUTPUT -p tcp --dport 41297 -j ACCEPT
  • iptables -I INPUT -p tcp --dport 41297 -j ACCEPT
  • crontab -
  • /usr/sbin/xtables-nft-multi iptables -I INPUT -p tcp --dport 41297 -j ACCEPT
  • iptables -I OUTPUT -p tcp --dport 41297 -j ACCEPT
  • crontab -l
Kills the following processes:
  • pogotygd
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.w0wD15
Creates or modifies files:
  • /var/spool/cron/crontabs/tmp.w0wD15
Changes time of creation/access/modification of files:
  • /var/spool/cron/crontabs
Network activity:
Awaits incoming connections on ports:
  • 0.0.0.0:41297
Establishes connection:
  • 8.#.8.8:53
Attacks using a special dictionary (brute-force technique) via the SSH protocol
Other:
Collects OS information
Collects CPU information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number