マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.6819

Added to the Dr.Web virus database: 2024-03-21

Virus description added:

Technical Information

Malicious functions:
Launches itself as a daemon
Substitutes application name for:
  • bsr8j40acqtr
Launches processes:
  • busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /usr/sbin/xtables-nft-multi iptables -A INPUT -p udp --dport 59666 -j DROP
  • iptables -A INPUT -p tcp --dport 37215 -j DROP
  • nft add rule ip filter input tcp dport 37215 drop
  • iptables - A INPUT - p tcp --dport 35342 - j ACCEPT
  • iptables -A INPUT -s 141.98.10.128 -j DROP
  • iptables -A INPUT -s 85.196.9.193 -j DROP
  • iptables - A INPUT - p udp --dport 35342 - j ACCEPT
  • /usr/sbin/xtables-nft-multi iptables - A INPUT - p tcp --dport 8345 - j ACCEPT
  • /usr/sbin/xtables-nft-multi iptables -F
  • /usr/sbin/xtables-nft-multi iptables - A INPUT - p tcp --dport 35342 - j ACCEPT
  • /usr/sbin/xtables-nft-multi iptables -A INPUT -p tcp --dport 37215 -j DROP
  • iptables - A INPUT - p udp --dport 8345 - j ACCEPT
  • nft add rule ip filter input udp dport 59666 drop
  • /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • echo \x22127.0.0.1 fucktheccp.top\x22 >> /etc/hosts
  • /usr/sbin/xtables-nft-multi iptables -A INPUT -s 141.98.10.128 -j DROP
  • /usr/sbin/xtables-nft-multi iptables - A INPUT - p udp --dport 8345 - j ACCEPT
  • /usr/sbin/xtables-nft-multi iptables -A INPUT -p tcp --dport 59666 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -A INPUT -s 85.196.9.193 -j DROP
  • echo \x22127.0.0.1 reachedfucktheccp.top\x22 >> /etc/hosts
  • iptables - A INPUT - p tcp --dport 8345 - j ACCEPT
  • iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • /usr/sbin/xtables-nft-multi iptables -A INPUT -p udp --dport 37215 -j DROP
  • ufw deny 37215/tcp
  • ufw deny 37215/udp
  • iptables -F
  • /usr/sbin/xtables-nft-multi iptables - A INPUT - p udp --dport 35342 - j ACCEPT
  • iptables -A INPUT -p tcp --dport 59666 -j DROP
  • iptables -A INPUT -p udp --dport 59666 -j DROP
  • iptables -A INPUT -p udp --dport 37215 -j DROP
  • /usr/sbin/xtables-nft-multi iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
  • nft add rule ip filter input udp dport 37215 drop
  • nft add rule ip filter input tcp dport 59666 drop
Kills the following processes:
  • utempter
Performs operations with the file system:
Deletes folders:
  • /var/lib/dhcp/dhclient.enp0s19.leases
  • /var/log/syslog
  • /var/log/daemon.log
  • /var/log/journal/d2c27189b74f4df08c011b25aa4c9dc5/system.journal
  • /var/log/btmp
  • /var/log/dpkg.log.1.gz
  • /var/log/dpkg.log
  • /var/log/kern.log.1.gz
  • /var/cache/man/index.db.HgpHxM
  • /var/log/auth.log.1.gz
  • /var/cache/man/484
  • /var/log/debug.1.gz
  • /kmsg
  • /var/log/messages.1.gz
  • /var/log/kern.log
  • /var/log/auth.log
  • /var/log/debug
  • /var/log/messages
  • /var/lib/logrotate/status.tmp
Creates or modifies files:
  • /etc/hosts
Deletes files:
  • /var/lib/dhcp/dhclient.enp0s19.leases
  • /var/log/syslog
  • /var/log/daemon.log
  • /var/log/journal/d2c27189b74f4df08c011b25aa4c9dc5/system.journal
  • /var/log/btmp
  • /var/log/dpkg.log.1.gz
  • /var/log/dpkg.log
  • /var/log/kern.log.1.gz
  • /var/cache/man/index.db.HgpHxM
  • /var/log/auth.log.1.gz
  • /var/cache/man/484
  • /var/log/debug.1.gz
  • /kmsg
  • /var/log/messages.1.gz
  • /var/log/kern.log
  • /var/log/auth.log
  • /var/log/debug
  • /var/log/messages
  • /var/lib/logrotate/status.tmp
Network activity:
Awaits incoming connections on ports:
  • 0.0.0.0:8345
  • 0.0.0.0:26721
Establishes connection:
  • 8.#.8.8:53
  • [:##]:37215
  • (e##val)
  • 127.0.0.1:37215
  • [:##]:59666
  • 127.0.0.1:59666
  • 51.###.108.203:53
  • 19#.###.175.20:35342
DNS ASK:
  • re###thltd.com
Sends data to the following servers:
  • 19#.###.175.20:35342
Receives data from the following servers:
  • 19#.###.175.20:35342

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number