FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Linux.Siggen.6545

Added to the Dr.Web virus database: 2024-02-08

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Removes itself
Launches itself as a daemon
Launches processes:
  • crontab -l | { cat; echo \x27@reboot /root/yvr4mDqm\x27; } | crontab -
  • crontab -l | grep -v \x27/var/tmp/YY4OR4LZ\x27 | crontab -
  • YY4OR4LZ
  • 875Vu0JI
  • crontab -l | grep -v \x27/var/tmp/WXLmqxaS\x27 | crontab -
  • crontab -l | { cat; echo \x27@reboot /var/tmp/YY4OR4LZ\x27; } | crontab -
  • crontab -l | grep -v \x27/root/Y8nhbXg1\x27 | crontab -
  • G1rAmtl0
  • crontab -l | grep -v \x27/var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/boRx4Jru\x27 | crontab -
  • ATa5fp4o
  • grep -v /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/ATa5fp4o
  • cat
  • grep -v /var/tmp/WXLmqxaS
  • crontab -l | { cat; echo \x27@reboot <SAMPLE_FULL_PATH>\x27; } | crontab -
  • crontab -l | { cat; echo \x27@reboot /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/FL4GFDen\x27; } | crontab -
  • crontab -l | grep -v \x27/var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/nvQbTwpQ\x27 | crontab -
  • grep -v /var/tmp/YY4OR4LZ
  • yvr4mDqm
  • 1h1KYZIM
  • grep -v /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/nvQbTwpQ
  • Y8nhbXg1
  • 3BBhlz2O
  • crontab -l | { cat; echo \x27@reboot /var/tmp/WXLmqxaS\x27; } | crontab -
  • crontab -l | { cat; echo \x27@reboot /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/yu6E5CBt\x27; } | crontab -
  • Kj3N3yX4
  • grep -v /root/Y8nhbXg1
  • YY4OR4LZi3pYO
  • crontab -l | { cat; echo \x27@reboot /root/G1rAmtl0\x27; } | crontab -
  • 7n0XyOJU9ZkLQ
  • nvQbTwpQ
  • crontab -l | grep -v \x27/root/3BBhlz2O\x27 | crontab -
  • crontab -l | { cat; echo \x27@reboot /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/ATa5fp4o\x27; } | crontab -
  • crontab -l | { cat; echo \x27@reboot /var/tmp/875Vu0JI\x27; } | crontab -
  • FL4GFDen
  • WXLmqxaS
  • crontab -l | { cat; echo \x27@reboot /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/xIbykpeK\x27; } | crontab -
  • crontab -l | grep -v \x27/var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/ATa5fp4o\x27 | crontab -
  • crontab -l | { cat; echo \x27@reboot /var/tmp/1h1KYZIM\x27; } | crontab -
  • crontab -l | { cat; echo \x27@reboot /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/boRx4Jru\x27; } | crontab -
  • grep -v /root/yvr4mDqm
  • crontab -l | grep -v \x27<SAMPLE_FULL_PATH>\x27 | crontab -
  • crontab -l | { cat; echo \x27@reboot /root/3BBhlz2O\x27; } | crontab -
  • crontab -l | { cat; echo \x27@reboot /root/Y8nhbXg1\x27; } | crontab -
  • OuwvSBnV
  • crontab -l | grep -v \x27/root/yvr4mDqm\x27 | crontab -
  • crontab -l | grep -v \x27/var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/yu6E5CBt\x27 | crontab -
  • yu6E5CBt
  • grep -v /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/boRx4Jru
  • crontab -l | { cat; echo \x27@reboot /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/nvQbTwpQ\x27; } | crontab -
  • eFpvXxBA
  • grep -v <SAMPLE_FULL_PATH>
  • Pfyj5lYB
  • crontab -
  • boRx4Jru
  • grep -v /root/3BBhlz2O
  • xIbykpeK
  • hF2uYotq
  • crontab -l | { cat; echo \x27@reboot /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/OuwvSBnV\x27; } | crontab -
  • 2VXwVtY2
  • crontab -l
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.0RR1pK
  • /var/tmp/WXLmqxaS
  • /var/spool/cron/crontabs/tmp.Kyz8Yq
  • /var/spool/cron/crontabs/tmp.ykhh3E
  • /var/spool/cron/crontabs/tmp.afvJDK
  • /tmp/.ICE-unix/7n0XyOJU9ZkLQ
  • /var/tmp/YY4OR4LZ
  • /var/spool/cron/crontabs/tmp.bTmfH1
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/WXLmqxaScSSVi
  • /var/spool/cron/crontabs/tmp.WeMlNj
  • /var/spool/cron/crontabs/tmp.G0Kk2l
  • /root/3BBhlz2O
  • /var/spool/cron/crontabs/tmp.oxsUgK
  • /var/spool/cron/crontabs/tmp.QwmkkO
  • /tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-d16u7f/oaYZmjxxJif7x
  • /var/spool/cron/crontabs/tmp.fh5Mh2
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/boRx4Jru
  • /root/YY4OR4LZi3pYO
  • /root/Y8nhbXg1
  • /var/spool/cron/crontabs/tmp.oWxn4k
  • /var/spool/cron/crontabs/tmp.5VtmEk
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/BuXR45ECxm2HC
  • /var/spool/cron/crontabs/tmp.gdXxbo
  • /var/spool/cron/crontabs/tmp.gVMQKH
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/yu6E5CBt
  • /dev/mqueue/3BBhlz2OO38l7
  • /var/tmp/875Vu0JI
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/ATa5fp4o
  • /var/spool/cron/crontabs/tmp.zBCRcu
  • /root/yvr4mDqm
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/xIbykpeK
  • /var/spool/cron/crontabs/tmp.74QG5i
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/nvQbTwpQ
  • /var/spool/cron/crontabs/tmp.qBbTKt
  • /var/spool/cron/crontabs/tmp.fwqDR2
  • /var/tmp/1h1KYZIM
  • /var/spool/cron/crontabs/tmp.5JW7ZI
  • /var/spool/cron/crontabs/tmp.pcM0n4
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/OuwvSBnV
  • /root/G1rAmtl0
  • /var/spool/cron/crontabs/tmp.G77E6m
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/FL4GFDen
  • /var/spool/cron/crontabs/tmp.VAklnJ
  • /var/spool/cron/crontabs/tmp.dXgAEk
  • /var/tmp/eFpvXxBA
  • /var/spool/cron/crontabs/tmp.9Lw8FE
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/Kj3N3yX4
  • /var/spool/cron/crontabs/tmp.0jsb1v
  • /var/spool/cron/crontabs/tmp.g96fek
  • /var/spool/cron/crontabs/tmp.VAeWsc
  • /var/spool/cron/crontabs/tmp.mXj5ji
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/Pfyj5lYB
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/Pfyj5lYB
  • /var/spool/cron/crontabs/tmp.TXSYjF
  • /var/spool/cron/crontabs/tmp.59FAJu
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/2VXwVtY2
  • /var/tmp/hF2uYotq
  • /tmp/tmux-0/1MtGefByjMKnk
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/hF2uYotq
Creates or modifies files:
  • /var/spool/cron/crontabs/tmp.0RR1pK
  • /var/tmp/WXLmqxaS
  • /var/spool/cron/crontabs/tmp.Kyz8Yq
  • /var/spool/cron/crontabs/tmp.ykhh3E
  • /var/spool/cron/crontabs/tmp.afvJDK
  • /tmp/.ICE-unix/7n0XyOJU9ZkLQ
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/db.data
  • /var/tmp/YY4OR4LZ
  • /var/spool/cron/crontabs/tmp.bTmfH1
  • /var/spool/cron/crontabs/tmp.WeMlNj
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/WXLmqxaScSSVi
  • /var/spool/cron/crontabs/tmp.G0Kk2l
  • /root/3BBhlz2O
  • /var/spool/cron/crontabs/tmp.oxsUgK
  • /var/spool/cron/crontabs/tmp.QwmkkO
  • /var/spool/cron/crontabs/tmp.fh5Mh2
  • /tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-d16u7f/oaYZmjxxJif7x
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/boRx4Jru
  • /root/YY4OR4LZi3pYO
  • /root/Y8nhbXg1
  • /var/spool/cron/crontabs/tmp.oWxn4k
  • /var/spool/cron/crontabs/tmp.5VtmEk
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/BuXR45ECxm2HC
  • /var/spool/cron/crontabs/tmp.gdXxbo
  • /var/spool/cron/crontabs/tmp.gVMQKH
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/yu6E5CBt
  • /dev/mqueue/3BBhlz2OO38l7
  • /var/tmp/875Vu0JI
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/ATa5fp4o
  • /var/spool/cron/crontabs/tmp.zBCRcu
  • /root/yvr4mDqm
  • /var/spool/cron/crontabs/tmp.fwqDR2
  • /var/spool/cron/crontabs/tmp.74QG5i
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/xIbykpeK
  • /var/spool/cron/crontabs/tmp.5JW7ZI
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/nvQbTwpQ
  • /var/spool/cron/crontabs/tmp.qBbTKt
  • /var/spool/cron/crontabs/tmp.pcM0n4
  • /var/tmp/1h1KYZIM
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/OuwvSBnV
  • /var/spool/cron/crontabs/tmp.VAklnJ
  • /var/spool/cron/crontabs/tmp.G77E6m
  • /root/G1rAmtl0
  • /var/spool/cron/crontabs/tmp.dXgAEk
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/FL4GFDen
  • /var/spool/cron/crontabs/tmp.9Lw8FE
  • /var/spool/cron/crontabs/tmp.0IwdVx
  • /var/tmp/eFpvXxBA
  • /var/spool/cron/crontabs/tmp.hoMYfO
  • /var/spool/cron/crontabs/tmp.g96fek
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/Kj3N3yX4
  • /var/spool/cron/crontabs/tmp.VAeWsc
  • /var/spool/cron/crontabs/tmp.0jsb1v
  • /var/spool/cron/crontabs/tmp.9MO65L
  • /var/spool/cron/crontabs/tmp.mXj5ji
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/Pfyj5lYB
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/Pfyj5lYB
  • /var/spool/cron/crontabs/tmp.TXSYjF
  • /var/spool/cron/crontabs/tmp.59FAJu
  • /var/spool/cron/crontabs/tmp.Q6tOke
  • /var/spool/cron/crontabs/tmp.Tocsvt
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/2VXwVtY2
  • /var/tmp/hF2uYotq
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/hF2uYotq
  • /tmp/tmux-0/1MtGefByjMKnk
Deletes files:
  • /var/tmp/WXLmqxaS
  • /var/tmp/YY4OR4LZ
  • /root/3BBhlz2O
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/boRx4Jru
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/ATa5fp4o
  • /root/Y8nhbXg1
  • /root/yvr4mDqm
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/nvQbTwpQ
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/yu6E5CBt
Changes time of creation/access/modification of files:
  • /var/spool/cron/crontabs
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-timesyncd.service-cRu1Gh/crontabs
  • /tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-d16u7f/crontabs
  • /var/tmp/systemd-private-9a696143c12e4a2d879683f675cf06b2-systemd-logind.service-truN7i/crontabs
  • /root/crontabs
  • /var/tmp/crontabs
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:44444
Establishes connection:
  • 127.0.0.1:44444
  • 127.0.0.1:44443
  • 67.###.135.145:8000
  • 91.###.18.60:8000
  • [:##]:44443
  • 74.###.1.126:8000
Sends data to the following servers:
  • 91.###.18.60:8000
  • 127.0.0.1:44444
  • 127.0.0.1:39052
  • 127.0.0.1:47486
  • 127.0.0.1:47498
  • 127.0.0.1:41372
  • 127.0.0.1:41384
  • 127.0.0.1:34992
  • 127.0.0.1:37252
  • 127.0.0.1:37270
  • 127.0.0.1:37282
  • 127.0.0.1:37290
  • 127.0.0.1:45060
  • 127.0.0.1:45084
  • 127.0.0.1:45100
  • 127.0.0.1:45130
  • 127.0.0.1:45150
  • 127.0.0.1:45170
  • 127.0.0.1:38792
  • 127.0.0.1:45156
  • 127.0.0.1:38808
Receives data from the following servers:
  • 91.###.18.60:8000
  • 127.0.0.1:39052
  • 127.0.0.1:44444
  • 127.0.0.1:39064
  • 127.0.0.1:47486
  • 127.0.0.1:47498
  • 127.0.0.1:41372
  • 127.0.0.1:41384
  • 127.0.0.1:34992
  • 127.0.0.1:35004
  • 127.0.0.1:37252
  • 127.0.0.1:37260
  • 127.0.0.1:37270
  • 127.0.0.1:37274
  • 127.0.0.1:37282
  • 127.0.0.1:37288
  • 127.0.0.1:37290
  • 127.0.0.1:45060
  • 127.0.0.1:45070
  • 127.0.0.1:45072
  • 127.0.0.1:45084
  • 127.0.0.1:45100
  • 127.0.0.1:45110
  • 127.0.0.1:45120
  • 127.0.0.1:45130
  • 127.0.0.1:45136
  • 127.0.0.1:45150
  • 127.0.0.1:45156
  • 127.0.0.1:45170
  • 127.0.0.1:45178
  • 127.0.0.1:38792
  • 127.0.0.1:38796
  • 127.0.0.1:38808
Other:
Collects CPU information

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number