Linux.Siggen.3193
Added to the Dr.Web virus database:
2020-07-10
Virus description added:
2020-07-09
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/profile.d/bash_config.sh
- /etc/rc.local
- /etc/profile.d/linux.sh
- /etc/init.d/linux_kill
- /etc/crontab
- /etc/profile.d/bash_config
- /etc/init.d/ssh
- /etc/init.d/.depend.boot
- /etc/init.d/.depend.start
- /etc/init.d/.depend.stop
Creates or modifies the following symlinks:
- /etc/rc0.d/linux_kill
- /etc/rc1.d/linux_kill
- /etc/rc2.d/linux_kill
- /etc/rc3.d/linux_kill
- /etc/rc4.d/linux_kill
- /etc/rc5.d/linux_kill
- /etc/rc6.d/linux_kill
- /etc/rc2.d/S01linux_kill
- /etc/rc3.d/S01linux_kill
- /etc/rc4.d/S01linux_kill
- /etc/rc5.d/S01linux_kill
Malicious functions:
Replaces the following system files:
Manages services:
- update-rc.d linux_kill defaults
- systemctl daemon-reload
Launches processes:
- <SAMPLE_FULL_PATH>
- /bin/bash -c echo -e \"#!/bin/sh\nwhile [ 1 ]; do\nsleep 30\n/etc/id.services.conf\ndone\n\" > /etc/32679
- /bin/bash -c echo \"#!/bin/sh\" > /etc/profile.d/linux.sh
- /bin/bash -c echo -e \"#!/bin/sh\n/usr/lib/libdlrpcld.so\" > /.img
- /bin/bash -c echo -e \"#!/bin/sh\n BEGIN INIT INFO\n#chkconfig: 2345 10 90\n#description:System.img.config\n# Default-Start: 2 3 4 5\n# Default-Stop: \n END INIT INFO\n/boot/System.img.config\nexit 0\" > /etc/init.d/linux_kill;chmod +x /etc/init.d/linux_kill
- chmod +x /etc/init.d/linux_kill
- /bin/bash -c chmod 0755 /etc/32679
- /bin/bash -c echo \"* * * * * root /.img \" >> /etc/crontab
- /bin/bash -c
- chmod 0755 /etc/32679
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc0.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc0.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc1.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc1.d/linux_kill
- /etc/32679
- sleep 30
- /bin/bash -c chmod 0755 /.img
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc1.d/linux_kill
- chmod 0755 /.img
- ln -s /etc/init.d/linux_kill /etc/rc1.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc2.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc2.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc2.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc2.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc3.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc3.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc3.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc3.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc4.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc4.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc4.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc4.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc5.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc5.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc5.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc5.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc6.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc6.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc6.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc6.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rcS.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rcS.d/linux_kill
- /bin/bash -c update-rc.d linux_kill defaults;chkconfig --add linux_kill
- /sbin/insserv linux_kill
Performs operations with the file system:
Modifies file access rights:
- /etc/init.d/linux_kill
- /etc/32679
- /.img
Creates folders:
Creates symlinks:
Creates or modifies files:
- /dev/.img
- /usr/bin/find
- /etc/32679
- /.img
- /lib/system-monitor
- /usr/sbin/ifconfig.conf
- /usr/bin/lsof
- /usr/lib/libdlrpcld.so
- /etc/id.services.conf
Locks files:
Network activity:
Establishes connection:
- 8.#.8.8:53
- 3.###.115.48:65432
DNS ASK:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
このウェブサイトを継続して訪問する場合、訪問者に関する統計データを収集するためのCookieファイルおよび他のテクノロジーを弊社が利用することに同意したものとします。詳細