Linux.Siggen.6983

Linux.Siggen.6983

Added to the Dr.Web virus database: 2024-04-14

Virus description added: 2024-04-14

To ensure autorun and distribution:

Creates or modifies the following files:

Malicious functions:

Gets access to SSH keys

Substitutes application name for:

Manages services:

Launches processes:

rm -rf /var/tmp/x.sh /var/tmp/xxx
rm -rf /var/tmp/Documents/.5p4rk3l5
pgrep -x Opera
chmod 777 /root/.pidsclip
chattr -iae /root/.ssh/authorized_keys
mkdir /var/tmp/.ladyg0g0/
chattr +iae /var/tmp/Documents/.diicot
<0x60>
<SAMPLE_FULL_PATH> -c exec \x27<SAMPLE_FULL_PATH>\x27 \x22$@\x22 <SAMPLE_FULL_PATH>
mv /var/tmp/Documents/kuak /var/tmp/Documents/Opera
mkdir /root/.ssh
chattr +iae /root/.ssh/authorized_keys
cp -avr /root /usr/bin/.locatione
rm -rf /root/.ssh
rm -rf /var/tmp/Documents/config.json
chmod 777 /var/tmp/Documents/.b4nd1d0
bash -c yum install -y rsync >/dev/null 2>&1 & disown
mkdir /var/tmp/Documents
/usr/bin/mawk awk {print \x22kill -9 \x22$1}
/usr/sbin/killall5 pidof Opera
grep -q .diicot
id -u
cat /usr/bin/.locatione
crontab -r
chmod -R go= /root/.ssh
sleep 0.5
chmod 777 /usr/bin/sshd
crontab -l
cat /var/tmp/.ladyg0g0/.pr1nc35
chmod 644 /lib/systemd/system/myservice.service
sh /var/tmp/x.sh
crontab /var/tmp/Documents/.5p4rk3l5
/usr/bin/mawk awk {gsub(\x22 \x22 \x22\x5cn\x22 $0); print}
chmod 777 Opera
sync
/bin/bash /var/tmp/Documents/./.b4nd1d0
chmod 777 /usr/bin/.pidsclip
sleep 1

Kills the following processes:

Performs operations with the file system:

Modifies file access rights:

Creates folders:

Creates or modifies files:

Deletes files:

Changes time of creation/access/modification of files:

Other:

Collects OS information

Collects CPU information