マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.2249

Added to the Dr.Web virus database: 2019-10-20

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Launches processes:
  • sh -c cd /bin/; cat tftp > tftp-cpy; >tftp; cat <SAMPLE_FULL_PATH> > tftp; chmod 777tftp
  • cat tftp
  • cat <SAMPLE_FULL_PATH>
  • chmod 777tftp
  • sh -c cd /bin/; cat rm > rm-cpy; >rm; cat <SAMPLE_FULL_PATH> > rm; chmod 777rm
  • cat rm
  • chmod 777rm
  • sh -c cd /bin/; cat kill > kill-cpy; >kill; cat <SAMPLE_FULL_PATH> > kill; chmod 777kill
  • cat kill
  • chmod 777kill
  • sh -c cd /sbin/; cat tftp > tftp-cpy; >tftp; cat <SAMPLE_FULL_PATH> > tftp; chmod 777tftp
  • sh -c cd /sbin/; cat rm > rm-cpy; >rm; cat <SAMPLE_FULL_PATH> > rm; chmod 777rm
  • sh -c cd /sbin/; cat kill > kill-cpy; >kill; cat <SAMPLE_FULL_PATH> > kill; chmod 777kill
Kills the following processes:
  • <SAMPLE>
Performs operations with the file system:
Creates or modifies files:
  • /tmp/.lmaopid
  • /var/.lmaopid
  • /dev/.lmaopid
  • /mnt/.lmaopid
  • /run/.lmaopid
  • /var/tmp/.lmaopid
  • /.lmaopid
  • /dev/shm/.lmaopid
  • /bin/.lmaopid
  • /etc/.lmaopid
  • /boot/.lmaopid
  • /usr/.lmaopid
  • /bin/tftp-cpy
  • /bin/tftp
  • /bin/rm-cpy
  • /bin/rm
  • /bin/kill-cpy
  • /bin/kill
  • /sbin/tftp-cpy
  • /sbin/tftp
  • /sbin/rm-cpy
  • /sbin/rm
  • /sbin/kill-cpy
  • /sbin/kill
Network activity:
Establishes connection:
  • 8.#.8.8:53
  • 16#.##.95.24:10001
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
  • 18#.###.212.15:37215
  • 46.###.21.1:37215
  • 19#.###.232.190:37215
  • 22#.#.199.136:37215
  • 19#.###.112.175:37215
  • 18#.##1.82.5:37215
  • 41.###.120.126:37215
  • 19#.###.81.105:37215
  • 19#.###.53.118:37215
  • 13#.##.180.97:37215
  • 41.##.248.233:37215
  • 22#.#.19.78:37215
  • 41.##.165.192:37215
  • 22#.#.58.137:37215
  • 22#.#.34.182:37215
  • 46.##.3.210:37215
  • 19#.##.63.167:37215
  • 41.##.97.13:37215
  • 19#.##.191.70:37215
  • 15#.###.27.228:37215
  • 22#.#.100.151:37215
  • 15#.###.55.109:37215
  • 18#.#.158.228:37215
  • 13#.##.23.48:37215
  • 46.##.116.228:37215
  • 16#.##.95.24:10001
  • 41.###.199.221:37215
  • 46.###.33.239:37215
  • 22#.#.254.143:37215
  • 22#.#.126.254:37215
  • 18#.##.175.193:37215
  • 19#.##.153.35:37215
  • 41.##.255.91:37215
  • 46.###.40.172:37215
  • 41.##.111.11:37215
  • 13#.##.253.237:37215
  • 18#.##7.9.154:37215
  • 19#.###.178.156:37215
  • 15#.#.237.35:37215
  • 22#.#.193.214:37215
  • 41.###.170.170:37215
  • 13#.##2.7.235:37215
  • 13#.###.148.103:37215
  • 13#.##.37.82:37215
  • 18#.###.122.139:37215
  • 15#.###.201.119:37215
  • 19#.###.140.213:37215
  • 46.###.252.94:37215
  • 19#.##.109.100:37215
  • 22#.#.162.59:37215
  • 41.###.53.193:37215
Receives data from the following servers:
  • 16#.##.95.24:10001

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number