FOR CUSTOMERS

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

Total: -
Active: -
Latest: -

Call us

+7 (495) 789-45-86

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.Siggen.7876

Added to the Dr.Web virus database: 2024-08-03

Virus description added: 2024-08-03

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

/etc/init.d/VsystemsshMdt
/etc/init.d/selinux

Creates or modifies the following symlinks:

/etc/rc1.d/S97VsystemsshMdt
/etc/rc2.d/S97VsystemsshMdt
/etc/rc3.d/S97VsystemsshMdt
/etc/rc4.d/S97VsystemsshMdt
/etc/rc5.d/S97VsystemsshMdt
/etc/rc1.d/S99selinux
/etc/rc2.d/S99selinux
/etc/rc3.d/S99selinux
/etc/rc4.d/S99selinux
/etc/rc5.d/S99selinux

Malicious functions:

Launches itself as a daemon

Replaces the following system files:

/usr/bin/lsof
/usr/bin/ps

Launches processes:

mkdir -p /usr/bin/bsd-port
cp -f /usr/bin/bsd-port/knerl /bin/ps
/usr/bin/bsd-port/knerl
cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
cp -f <SAMPLE_FULL_PATH> /usr/bin/bsd-port/knerl
chmod 0755 /usr/bin/lsof
chmod 0755 /bin/ps
ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
chmod 0755 /bin/lsof
mkdir -p /usr/bin/dpkgd
mkdir -p /bin
cp -f <SAMPLE_FULL_PATH> /usr/bin/daemon
ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
/usr/bin/daemon
ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
chmod 0755 /usr/bin/ps
ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
mkdir -p /usr/bin
cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
/usr/bin/kmod insmod /usr/lib/xpacket.ko
ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
cp -f /usr/bin/bsd-port/knerl /bin/lsof
ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
cp -f /bin/ps /usr/bin/dpkgd/ps
cp -f /bin/lsof /usr/bin/dpkgd/lsof
insmod /usr/lib/xpacket.ko

Performs operations with the file system:

Modifies file access rights:

/usr/bin/lsof
/usr/bin/ps

Creates folders:

/usr/bin/bsd-port
/usr/bin/dpkgd

Creates or modifies files:

/root/vga.conf
/usr/bin/bsd-port/knerl
/tmp/notify.file
/usr/bin/daemon
/usr/bin/bsd-port/knerl.conf
/root/idus.log
/usr/bin/dpkgd/lsof
/usr/bin/dpkgd/ps
/usr/bin/bsd-port/conf.n

Deletes files:

/tmp/notify.file

Locks files:

/root/vga.conf
/usr/bin/bsd-port/knerl.conf
/root/idus.log
/usr/bin/bsd-port/conf.n

Network activity:

Establishes connection:

59.###.8.142:30000

DNS ASK:

kn###.0889.org

Sends data to the following servers:

59.###.8.142:30000

Other:

Collects OS information

Collects CPU information

Collects RAM information

Collects information about network activity

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number