Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.7423

Added to the Dr.Web virus database: 2024-05-08

Virus description added:

Technical Information

Malicious functions:
Manages services:
  • ['systemctl', 'daemon-reload']
  • ['systemctl', 'enable', 'supdate.service']
  • ['systemctl', 'start', 'supdate.service']
Launches processes:
  • gpgv --homedir /tmp/apt-key-gpghome.h8hPrHhBig --keyring /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.muL5hs /tmp/apt.data.o4Cejs
  • /bin/sh -c yum update -y && yum install epel-release -y && yum install screen hping3 -y
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
  • /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.muL5hs /tmp/apt.data.o4Cejs
  • readlink -f /etc/apt/trusted.gpg.d/
  • crontab -l
  • apt-config shell GPGV Apt::Key::gpgvcommand
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
  • apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
  • gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
  • /usr/bin/dpkg --print-foreign-architectures
  • apt update
  • whoami
  • apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  • readlink -f /tmp/apt-key-gpghome.h8hPrHhBig
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
  • touch /tmp/installed
  • sort
  • /bin/sh -c apt update && apt install screen hping3 -y
  • mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
  • find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 ( -name *.gpg -o -name *.asc )
  • gpg-connect-agent -s --no-autostart GETINFO scd_running /if ${! $?} scd killscd /end
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
  • apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
  • chmod 700 /tmp/apt-key-gpghome.h8hPrHhBig
  • apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  • ps aux
  • gpg-connect-agent --no-autostart KILLAGENT
  • rm -rf /tmp/apt-key-gpghome.h8hPrHhBig
  • touch /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
  • cp -a /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
  • sed -e s#\x27#\x27\x22\x27\x22\x27#g
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
  • gpgconf --kill all
  • /usr/lib/apt/methods/https
  • rm -f /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
  • ls /tmp/installed
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
  • apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
  • /bin/sh -c ls /tmp/installed
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
  • /bin/sh -c touch /tmp/installed
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
  • /usr/lib/apt/methods/gpgv
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
  • /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.ckJDAK /tmp/apt.data.Zygt8M
  • apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
  • /usr/lib/apt/methods/http
  • apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
Kills the following processes:
  • http
  • gpgv
Performs operations with the file system:
Modifies file access rights:
  • /var/lib/apt/lists/partial
  • /var/lib/apt/lists/auxfiles
  • /var/lib/apt/lists/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt-key-gpghome.h8hPrHhBig
Modifies file owner:
  • /var/lib/apt/lists/partial
  • /var/lib/apt/lists/auxfiles
  • /var/lib/apt/lists/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
Creates folders:
  • /tmp/apt-key-gpghome.h8hPrHhBig
Deletes folders:
  • /tmp/apt-key-gpghome.h8hPrHhBig
Creates or modifies files:
  • /tmp/#130834 (deleted)
  • /var/lib/apt/lists/lock
  • /tmp/installed
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.VRA0ZE
  • /root/.bashrc
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.gEdyUC
  • /etc/systemd/system/supdate.service
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.cnmwmH
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.mFqHJD
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt.conf.pAMADq
  • /tmp/apt.sig.muL5hs
  • /tmp/apt.data.o4Cejs
  • /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
  • /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
  • /tmp/apt-key-gpghome.h8hPrHhBig/gpg.1.sh
  • /tmp/#130829 (deleted)
  • /tmp/apt.conf.jYB6dN
  • /tmp/apt.sig.ckJDAK
  • /tmp/apt.data.Zygt8M
Deletes files:
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.VRA0ZE
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.gEdyUC
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.cnmwmH
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.mFqHJD
  • /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
  • /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
  • /tmp/apt-key-gpghome.h8hPrHhBig/gpg.1.sh
  • /tmp/apt.conf.pAMADq
  • /tmp/apt.sig.muL5hs
  • /tmp/apt.data.o4Cejs
Changes time of creation/access/modification of files:
  • /tmp/installed
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt-key-gpghome.h8hPrHhBig/pubring.gpg
  • /tmp/apt-key-gpghome.h8hPrHhBig/pubring.orig.gpg
Network activity:
Establishes connection:
  • 84.##.51.78:80
  • 18#.##4.99.34:4444
  • 8.#.8.8:53
  • 15#.##1.246.132:80
  • [2#####e42:3a::644]:80
  • 10#.##6.22.21:443
  • (e##val)
  • 10#.##6.22.86:443
  • 10#.##6.22.116:443
  • 10#.##6.22.127:443
  • [2##########368:aa00:3:db06:4200:93a1]:443
  • [2##########368:4200:3:db06:4200:93a1]:443
  • [2##########368:6800:3:db06:4200:93a1]:443
  • [2##########368:c200:3:db06:4200:93a1]:443
  • [2##########368:d200:3:db06:4200:93a1]:443
  • [2##########368:ea00:3:db06:4200:93a1]:443
  • [2##########368:3000:3:db06:4200:93a1]:443
  • [2##########368:ec00:3:db06:4200:93a1]:443
DNS ASK:
  • _h####.##cp.download.docker.com
  • _h###.###p.security.debian.org
  • do####ad.docker.com
  • de####.#ap.fastlydns.net
  • _h###.##cp.deb.debian.org
Sends data to the following servers:
  • 84.##.51.78:80
  • 18#.##4.99.34:4444
  • 15#.##1.246.132:80
  • 10#.##6.22.21:443
Receives data from the following servers:
  • 84.##.51.78:80
  • 18#.##4.99.34:4444
  • 15#.##1.246.132:80
  • 10#.##6.22.21:443
Other:
Collects OS information
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number