マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.3569

Added to the Dr.Web virus database: 2021-02-02

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/init.d/proc__bioset.sh
  • /etc/cron.d/root
  • /etc/cron.d/system
  • /etc/cron.d/apache
  • /var/spool/cron/crontabs/root
Malicious functions:
Compiles a program from source codes:
  • gcc -Wall -fPIC -shared /usr/local/lib/pro__wlib.c -lc -ldl -o /usr/local/lib/libpro__w.so
Manages services:
  • systemctl daemon-reload
  • systemctl enable proc__sysagent
Launches processes:
  • /bin/bash -c chattr -i /tmp/.program__temporary-storage-p-root
  • chattr -i /tmp/.program__temporary-storage-p-root
  • /bin/bash -c chattr +i /tmp/.program__temporary-storage-p-root
  • chattr +i /tmp/.program__temporary-storage-p-root
  • /bin/bash -c /bin/bash ./.pro__rkt/pro__autorkt.sh
  • /bin/bash ./.pro__rkt/pro__autorkt.sh
  • /bin/bash -c /bin/bash ./.pro__config/pro__automig.sh
  • cp ./.pro__writeo0bB /usr/sbin/proc__bioset
  • /bin/bash ./.pro__config/pro__automig.sh
  • cp ./.pro__rkt/proc__bioset.sh /etc/init.d/proc__bioset.sh
  • cat /tmp/.program__temporary-storage-g-root
  • chmod +x /usr/sbin/proc__bioset
  • chmod +x ./.pro__config/proc__o0mig
  • chmod +x /etc/init.d/proc__bioset.sh
  • sleep 1
  • nohup ./.pro__config/proc__o0mig -c ./.pro__config/pro__cfg
  • ./.pro__config/proc__o0mig -c ./.pro__config/pro__cfg
  • rm -rf ./.pro__rkt/proc__bioset.sh
  • cp ./.pro__writeo0bB /tmp/.kworker__flush
  • chattr -i /tmp/.program__temporary-storage-g-root
  • cp ./.pro__writeo0bB /var/tmp/.kworker__flush
  • chattr -i /tmp/.xfs__scsi__f2
  • cp ./.pro__writeo0bB /dev/shm/.kworker__flush
  • chattr +i /tmp/.program__temporary-storage-g-root
  • chattr +i /tmp/.xfs__scsi__f2
  • cp /bin/bash /tmp/.kworker__watchdogd
  • renice -1 -p 722
  • cp /bin/bash /var/tmp/.kworker__watchdogd
  • rm -rf ./.pro__config
  • cp /bin/bash /dev/shm/.kworker__watchdogd
  • /bin/bash -c /bin/bash ./.pro__lk/pro__autolk.sh
  • rm -rf ./.pro__writeo0bB
  • /bin/bash ./.pro__lk/pro__autolk.sh
  • chmod +x /tmp/.kworker__flush
  • chmod +x /var/tmp/.kworker__flush
  • tee ./.program__daemonload
  • chmod +x /dev/shm/.kworker__flush
  • tee ./.program__kill30
  • cp ./.pro__rkt/pro__wlib.c /usr/local/lib/pro__wlib.c
  • cat /tmp/.program__temporary-storage-d-root
  • rm -rf ./.pro__rkt/pro__wlib.c
  • find ./.kworker__watchdogd
  • wc -l
  • find /tmp/.kworker__watchdogd
  • /tmp/.kworker__watchdogd ./.program__daemonload
  • chattr -i /tmp/.program__temporary-storage-d-root
  • chattr +i /tmp/.program__temporary-storage-d-root
  • sleep 2
  • cat /tmp/.program__temporary-storage-l-root
  • /tmp/.kworker__watchdogd ./.program__kill30
  • chattr -i /tmp/.program__temporary-storage-l-root
  • chattr +i /tmp/.program__temporary-storage-l-root
  • rm -rf ./.pro__lk
  • rm ./.program__daemonload
  • sleep 10
  • /bin/bash -c /bin/bash ./.pro__scan/pro__autoscan.sh
  • rm ./.program__kill30
  • sleep 5
  • /bin/bash ./.pro__scan/pro__autoscan.sh
  • touch /tmp/.program__temporary-storage-r-root
  • nohup python ./.pro__scan/proc__scanr.py
  • python ./.pro__scan/proc__scanr.py
  • rm -rf ./.pro__scan
  • ps aux
  • grep -v proc__
  • awk {if(>30.0) print }
  • cat /tmp/.program__temporary-storage-p-root
  • touch /etc/ld.so.preload
  • rm -rf /usr/local/lib/pro__wlib.c
  • touch -acmr /bin/sh /etc/cron.d/system
  • touch -acmr /bin/sh /etc/cron.d/root
  • touch -acmr /bin/sh /var/spool/cron/root
  • cat
  • mkdir -p /var/spool/cron/crontabs
  • touch -acmr /bin/sh /etc/cron.d/apache
  • touch -acmr /bin/sh /var/spool/cron/crontabs/root
  • rm -rf ./.pro__rkt
  • rm -rf ./.program__kill30
Kills the following processes:
  • /root/.pro__config/proc__o0mig
  • /bin/bash
  • /tmp/.kworker__watchdogd
  • <SAMPLE>
Performs operations with the file system:
Modifies file access rights:
  • /root/.pro__config/proc__o0mig
  • /etc/init.d/proc__bioset.sh
  • /usr/local/lib/libpro__w.so
Creates folders:
  • /root/.pro__config
  • /root/.pro__rkt
  • /root/.pro__lk
  • /root/.pro__scan
Creates or modifies files:
  • /tmp/.program__temporary-storage-p-root
  • /root/.pro__config/pro__automig.sh
  • /root/.pro__rkt/pro__autorkt.sh
  • /root/.pro__config/pro__cfg
  • /root/.pro__rkt/pro__wlib.c
  • /root/.pro__rkt/proc__bioset.sh
  • /root/.pro__config/proc__o0mig
  • /tmp/.program__temporary-storage-g-root
  • /tmp/.xfs__scsi__f2
  • /tmp/.kworker__watchdogd
  • /var/tmp/.kworker__watchdogd
  • /root/.pro__lk/pro__autolk.sh
  • /dev/shm/.kworker__watchdogd
  • /root/.program__daemonload
  • /root/.program__kill30
  • /usr/local/lib/pro__wlib.c
  • /tmp/ccxsbdNo.s
  • /tmp/.program__temporary-storage-d-root
  • /tmp/.program__temporary-storage-l-root
  • /root/.pro__scan/pro__autoscan.sh
  • /root/.pro__scan/proc__scanr.py
  • /tmp/.program__temporary-storage-r-root
  • /tmp/ccDLYSK9.o
  • /tmp/cczHO9TW.res
  • /tmp/ccXQ9L5O.c
  • /tmp/ccKYk0GC.o
  • /tmp/ccO0SLiq.ld
  • /tmp/cc0QT0Ud.le
  • /usr/local/lib/libpro__w.so
  • /etc/ld.so.preload
  • /tmp/sh-thd-194211465
  • /etc/systemd/system/proc__sysagent.service
  • /var/spool/cron/root
  • /tmp/tmpfBepvqJ
  • /tmp/tmpfBepvqJ (deleted)
  • /tmp/tmpfDH3UrC
  • /tmp/tmpfDH3UrC (deleted)
  • /var/spool/cron/.pro__lk/pro__autolk.sh
  • /var/spool/cron/.program__daemonload
  • /var/spool/cron/.program__kill30
  • /tmp/tmpf7Sargk
  • /tmp/tmpf7Sargk (deleted)
  • /tmp/tmpfoT1jaf
  • /tmp/tmpfoT1jaf (deleted)
Deletes files:
  • /root/.pro__rkt/proc__bioset.sh
  • /root/proc__o0mig
  • /root/pro__cfg
  • /root/pro__automig.sh
  • /root/.pro__writeo0bB
  • /root/.pro__rkt/pro__wlib.c
  • /root/pro__autolk.sh
  • /root/.program__daemonload
  • /root/.program__kill30
  • /root/pro__autoscan.sh
  • /root/proc__scanr.py
  • /tmp/ccO0SLiq.ld
  • /tmp/cc0QT0Ud.le
  • /tmp/ccXQ9L5O.c
  • /tmp/ccKYk0GC.o
  • /tmp/cczHO9TW.res
  • /tmp/ccDLYSK9.o
  • /tmp/ccxsbdNo.s
  • /usr/local/lib/pro__wlib.c
  • /tmp/sh-thd-194211465
  • /tmp/tmpfBepvqJ
  • /var/spool/cron/pro__autorkt.sh
  • /tmp/tmpfDH3UrC
  • /tmp/tmpf7Sargk
  • /tmp/tmpfoT1jaf
Other:
Collects CPU information
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number