マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Linux.Siggen.7957

Added to the Dr.Web virus database: 2024-08-19

Virus description added:

Technical Information

Malicious functions:
Removes itself
Substitutes application name for:
  • [kworker/u0:85]
  • [kworker/u1:1]
Manages services:
  • ['systemctl', 'daemon-reload']
  • ['systemctl', 'enable', 'bot.service']
  • ['systemctl', 'start', 'bot.service']
Launches processes:
  • chmod 700 /tmp/apt-key-gpghome.5jJPVLvhTU
  • touch /tmp/apt-key-gpghome.1QO0jFAhEq/pubring.gpg
  • readlink -f /tmp/apt-key-gpghome.5jJPVLvhTU
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
  • rm -f /tmp/apt-key-gpghome.1QO0jFAhEq/pubring.gpg
  • apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
  • mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
  • /usr/lib/apt/methods/store
  • rm -f /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.gpg
  • /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.KOad8n /tmp/apt.data.8xG1Fq
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
  • apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
  • gpg-connect-agent --no-autostart --dirmngr KILLDIRMNGR
  • readlink -f /etc/apt/trusted.gpg.d/
  • /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.r3XtMq /tmp/apt.data.kwp7yo
  • chmod 700 /tmp/apt-key-gpghome.1QO0jFAhEq
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
  • apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  • /usr/lib/apt/methods/https
  • apt-config shell GPGV Apt::Key::gpgvcommand
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
  • gpg-connect-agent -s --no-autostart GETINFO scd_running /if ${! $?} scd killscd /end
  • apt-get update
  • apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
  • rm -rf /tmp/apt-key-gpghome.5jJPVLvhTU
  • apt-get --fix-broken install
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
  • readlink -f /tmp/apt-key-gpghome.1QO0jFAhEq
  • find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 ( -name *.gpg -o -name *.asc )
  • /usr/bin/dpkg --print-foreign-architectures
  • sort
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
  • cp -a /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.gpg /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.orig.gpg
  • apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
  • touch /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
  • apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  • sed -e s#\x27#\x27\x22\x27\x22\x27#g
  • gpgv --homedir /tmp/apt-key-gpghome.5jJPVLvhTU --keyring /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.KOad8n /tmp/apt.data.8xG1Fq
  • gpgconf --kill all
  • apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  • gpg-connect-agent --no-autostart KILLAGENT
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
Kills the following processes:
  • rcu_tasks_trace
  • ata_sff
  • scsi_eh_0
  • scsi_tmf_0
  • scsi_eh_1
  • scsi_tmf_1
  • ksoftirqd/0
  • rcu_sched
  • migration/0
  • jbd2/sda1-8
  • ext4-rsv-conver
  • cpuhp/0
  • kdevtmpfs
  • netns
  • kauditd
  • kthreadd
  • khungtaskd
  • oom_reaper
  • writeback
  • kcompactd0
  • ksmd
  • khugepaged
  • ttm_swap
  • rcu_gp
  • kworker/u2:4
  • rcu_par_gp
  • kintegrityd
  • kblockd
  • blkcg_punt_bio
  • edac-poller
  • devfreq_wq
  • kworker/0:1H
  • kworker/0:0
  • kworker/0:2
  • kswapd0
  • kthrotld
  • acpi_thermal_pm
  • ipv6_addrconf
  • kworker/u2:1
  • kworker/0:1
  • kworker/0:0H
  • kstrp
  • zswap-shrink
  • kworker/u3:0
  • 9bc2fd2a
  • kworker/u2:0
  • mm_percpu_wq
  • rcu_tasks_rude_
  • <SAMPLE>
  • http
  • gpgv
  • store
Performs operations with the file system:
Modifies file access rights:
  • /var/cache/apt/archives/partial
  • /var/lib/apt/lists/auxfiles
  • /var/lib/apt/lists/partial
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt-key-gpghome.5jJPVLvhTU
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.ThPLKL
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.FOhoiN
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.HJlteM
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
  • /tmp/apt-key-gpghome.1QO0jFAhEq
Modifies file owner:
  • /var/cache/apt/archives/partial
  • /var/lib/apt/lists/auxfiles
  • /var/lib/apt/lists/partial
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
Creates folders:
  • /tmp/apt-key-gpghome.5jJPVLvhTU
  • /tmp/apt-key-gpghome.1QO0jFAhEq
Deletes folders:
  • /tmp/apt-key-gpghome.5jJPVLvhTU
Creates or modifies files:
  • /etc/systemd/system/bot.service
  • /tmp/bot-start.sh
  • /tmp/#130834 (deleted)
  • /var/lib/dpkg/lock-frontend
  • /var/lib/dpkg/lock
  • /var/cache/apt/archives/lock
  • /tmp/#130829 (deleted)
  • /var/lib/apt/lists/lock
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.MKjDOA
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.vQpLrz
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.Ly54EC
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.10MmDA
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /tmp/apt.conf.482aho
  • /tmp/apt.sig.KOad8n
  • /tmp/apt.data.8xG1Fq
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.gpg
  • /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.orig.gpg
  • /tmp/apt-key-gpghome.5jJPVLvhTU/gpg.1.sh
  • /tmp/apt.conf.uVoUwo
  • /tmp/apt.sig.r3XtMq
  • /tmp/apt.data.kwp7yo
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.ThPLKL
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.FOhoiN
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.HJlteM
  • /tmp/apt-key-gpghome.1QO0jFAhEq/pubring.gpg
Deletes files:
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.MKjDOA
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.vQpLrz
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.Ly54EC
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.10MmDA
  • /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.orig.gpg
  • /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.gpg
  • /tmp/apt-key-gpghome.5jJPVLvhTU/gpg.1.sh
  • /tmp/apt.conf.482aho
  • /tmp/apt.sig.KOad8n
  • /tmp/apt.data.8xG1Fq
Changes time of creation/access/modification of files:
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.gpg
  • /tmp/apt-key-gpghome.5jJPVLvhTU/pubring.orig.gpg
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_source_Sources
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en.xz
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_binary-amd64_Packages
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_main_i18n_Translation-en
  • /tmp/apt-key-gpghome.1QO0jFAhEq/pubring.gpg
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:9999
Establishes connection:
  • 45.##.28.202:5111
  • 8.#.8.8:53
  • [2#####e42:3a::644]:80
  • (e##val)
  • 15#.##1.246.132:80
  • 3.###.240.123:443
  • 3.###.240.105:443
  • 3.###.240.73:443
  • 3.###.240.119:443
  • [2##########764:9e00:3:db06:4200:93a1]:443
  • [2##########764:3800:3:db06:4200:93a1]:443
  • [2##########764:fe00:3:db06:4200:93a1]:443
  • [2##########764:3a00:3:db06:4200:93a1]:443
  • [2##########764:a200:3:db06:4200:93a1]:443
  • [2##########764:f000:3:db06:4200:93a1]:443
  • [2##########764:fc00:3:db06:4200:93a1]:443
  • [2##########764:ee00:3:db06:4200:93a1]:443
DNS ASK:
  • _h####.##cp.download.docker.com
  • _h###.###p.security.debian.org
  • _h###.##cp.deb.debian.org
  • do####ad.docker.com
  • de####.#ap.fastlydns.net
Sends data to the following servers:
  • 15#.##1.246.132:80
  • 3.###.240.123:443
Receives data from the following servers:
  • 15#.##1.246.132:80
  • 3.###.240.123:443

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number