Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte
Soporte 24 horas | Normas de contactar

Sus solicitudes

Perfil

Linux.Siggen.5678

Added to the Dr.Web virus database: 2023-10-06

Virus description added:

Technical Information

Malicious functions:
Operates the following kernel modules:
  • nf_defrag_ipv4
  • nf_defrag_ipv6
  • nf_conntrack
  • nf_conntrack_netlink
Launches processes:
  • iptables -w -t filter -I INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP
  • iptables -w -t filter -D INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP >/dev/null 2>&1
  • /usr/sbin/xtables-nft-multi iptables -w -t filter -I INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP
  • modprobe nfnetlink >/dev/null 2>&1 || insmod nfnetlink.ko >/dev/null 2>&1
  • iptables -w -h > /dev/null 2>&1
  • iptables -w -t filter -D INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT 2>/dev/null
  • curl --connect-timeout 60 -m 120 -k --request GET --url https://whoami.nie.netease.com/v1 --header \x27x-auth-product: uu\x27 --header \x27x-auth-token: token.PrdkAfGROQQ9\x27 2>/
  • iptables -w -t filter -L -n >/dev/null 2>&1
  • /usr/bin/kmod modprobe nf_conntrack_netlink
  • rm /tmp/.uu_whoami.txt
  • /usr/sbin/xtables-nft-multi iptables -w -t filter -D INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT
  • iptables -w -t filter -I INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT
  • /usr/sbin/xtables-nft-multi iptables -w -t filter -L -n
  • modprobe nf_conntrack_netlink >/dev/null 2>&1 || insmod nf_conntrack_netlink.ko >/dev/null 2>&1
  • wget --timeout 120 --no-check-certificate --quiet --method GET --header x-auth-product: uu --header x-auth-token: token.PrdkAfGROQQ9 --output-document - https://whoami.nie.netease.com/v1
  • /usr/sbin/xtables-nft-multi iptables -w -h
  • /usr/bin/kmod modprobe nfnetlink
  • /usr/sbin/xtables-nft-multi iptables -w -t filter -I INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT
  • rm /tmp/.uu_whoami.txt 2>/dev/null
  • /usr/sbin/xtables-nft-multi iptables -w -t filter -D INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP
Performs operations with the file system:
Creates or modifies files:
  • /run/uuplugin.pid
  • /usr/sbin/uu/.uuplugin_uuid
  • /root/.uuplugin_uuid
  • /tmp/.uu_whoami.txt
Deletes files:
  • /tmp/.uu_whoami.txt
Locks files:
  • /run/uuplugin.pid
Network activity:
Awaits incoming connections on ports:
  • 25#.###.255.255:16363
Establishes connection:
  • 127.0.0.1:45045
  • 127.0.0.1:34043
  • 42.###.160.34:16000
  • <LOCAL_DNS_SERVER>
DNS ASK:
  • rg##.uu.163.com
  • wh####.nie.netease.com
Sends data to the following servers:
  • 127.0.0.1:45045
  • 42.###.160.34:16000
Receives data from the following servers:
  • 127.0.0.1:38932
  • 127.0.0.1:35820
  • 127.0.0.1:35824
  • 127.0.0.1:35826
  • 127.0.0.1:35830
  • 42.###.160.34:16000

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number