マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.2126

Added to the Dr.Web virus database: 2019-08-28

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
  • gf128mul
Launches processes:
  • sh -c
  • base64 -d
  • bash
  • xargs fuser -k
  • find /root/.ddg/*
  • fuser -k
  • xargs chattr -i
  • find /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/crontab /etc/cron.weekly
  • chattr -i /etc/cron.d /etc/cron.d/.placeholder /etc/cron.daily /etc/cron.daily/passwd /etc/cron.daily/aptitude /etc/cron.daily/mlocate /etc/cron.daily/logrotate /etc/cron.daily/apt /etc/cron.daily/bsdmainutils /etc/cron.daily/.placeholder /etc/cron.daily/dpkg /etc/cron.daily/man-db /etc/cron.daily/exim4-base /etc/cron.hourly /etc/cron.hourly/.placeholder /etc/cron.monthly /etc/cron.monthly/.placeholder /etc/crontab /etc/cron.weekly /etc/cron.weekly/.placeholder /etc/cron.weekly/man-db
  • xargs rm -f
  • cut -f 1 -d :
  • grep -RE (wget|curl) /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
  • rm -f
  • find /var/spool/cron
  • chattr -i /var/spool/cron /var/spool/cron/atjobs /var/spool/cron/atjobs/.SEQ /var/spool/cron/atspool /var/spool/cron/crontabs
  • grep -RE (wget|curl|tmp00|upd|X13) /var/spool/cron
  • xargs sed -i /wget\|curl\|tmp00\|update.sh\|\/upd\|firefoxcatche\|X13-unix/d
  • sed -i /wget\|curl\|tmp00\|update.sh\|\/upd\|firefoxcatche\|X13-unix/d
  • grep -RE REDIS00 /var/spool/cron
  • sed /curl/d
  • sed /wget/d
  • crontab -l
  • sed /tmp00/d
  • sed /\upd/d
  • sed /X13/d
  • sed /firefoxcatche/d
  • crontab -
  • pkill -9 -f sleep|kworkre|kwroker|crun|watchog|watchbog|watchbug|pastebin
  • pkill -9 -f 8220|aegis_|AliHids|AliYunDun|aliyun-service|azipl|cr.sh|cronds|crun|cryptonight|ddgs|fs-manager|finJG|havegeds|hashfish|hwlh3wlh44lh|HT8s|java-c|kerberods|khugepageds|kintegrityds|kpsmouseds|kthrotlds|kworkerds|kworkre|kwroker|mewrs|miner|mr.sh|muhsti|mygit|networkservice|orgfs|pastebin|qW3xT|qwefdas|stratum|sustes|sustse|sysguard|t00ls|thisxxs|/tmp/ddgs|/tmp/java|/tmp/udevs|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|X13-unix|zer0
  • rm -rf /root/.wget-* /root/.tmp00 /tmp/.X13-unix
  • grep -q rapid7 /etc/hosts
  • grep -q aptget /etc/hosts
  • grep -q tor2we /etc/hosts
Kills the following processes:
  • run.sh
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.UAmaNT
Creates or modifies files:
  • /tmp/.X1M-unix
  • /var/spool/cron/crontabs/tmp.UAmaNT
Locks files:
  • /tmp/.X1M-unix
Other:
Collects CPU information
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number