Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte
Soporte 24 horas | Normas de contactar

Sus solicitudes

Perfil

Linux.Siggen.7762

Added to the Dr.Web virus database: 2024-07-08

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/crontab
Malicious functions:
Launches itself as a daemon
Gets access to SSH keys
  • /root/.ssh/authorized_keys
Substitutes application name for:
  • [scsi_e_1]
Replaces the following system files:
  • /usr/bin/chattr
Manages services:
  • ['systemctl', 'daemon-reload']
  • ['systemctl', 'enable', 'CLAMAV']
Launches processes:
  • chattr -ia /root/.ssh/authorized_keys
  • grep :65533
  • touch -t 201605070000 /usr/bin/kill
  • netstat -anp | grep :10771 | awk \x27{print $7}\x27 | awk -F\x27[/]\x27 \x27{print $1}\x27 | grep -v \x22-\x22 | xargs -I % kill -9 %
  • touch -t 201903060000 /usr/bin/chmod
  • systemctl daemon-reload;systemctl enable CLAMAV
  • touch -t 201507020000 /usr/bin/cd
  • netstat -anp | grep :25000 | awk \x27{print $7}\x27 | awk -F\x27[/]\x27 \x27{print $1}\x27 | grep -v \x22-\x22 | xargs -I % kill -9 %
  • netstat -anp | grep :65533 | awk \x27{print $7}\x27 | awk -F\x27[/]\x27 \x27{print $1}\x27 | grep -v \x22-\x22 | xargs -I % kill -9 %
  • grep :10771
  • touch -t 201808020000 /usr/bin/rm
  • grep -v -
  • touch -t 201807090000 /usr/bin/ls
  • xargs -I % kill -9 %
  • touch -t 201905090000 /usr/bin/chattr
  • grep :10991
  • grep :25000
  • /usr/bin/mawk awk {print $7}
  • touch -t 201706090000 /usr/bin/find
  • grep :6001
  • chattr -ia /root/.ssh
  • /usr/bin/mawk awk -F[/ {print $1}
  • netstat -anp | grep :6001 | awk \x27{print $7}\x27 | awk -F\x27[/]\x27 \x27{print $1}\x27 | grep -v \x22-\x22 | xargs -I % kill -9 %
  • netstat -anp | grep :10991 | awk \x27{print $7}\x27 | awk -F\x27[/]\x27 \x27{print $1}\x27 | grep -v \x22-\x22 | xargs -I % kill -9 %
  • hash -r
Performs operations with the file system:
Modifies file access rights:
  • /usr/sbin/.libso
  • /usr/lib/.os-rslease
  • /usr/local/bin/cd
  • /usr/local/bin/kill
  • /usr/local/bin/ls
  • /usr/local/bin/cat
  • /usr/local/bin/chmod
  • /usr/local/bin/find
  • /usr/local/bin/top
  • /root/.ssh/authorized_keys
Creates folders:
  • /root/.ssh
Creates or modifies files:
  • /usr/sbin/.libso
  • /usr/lib/.os-rslease
  • /usr/local/bin/cd
  • /usr/local/bin/kill
  • /usr/local/bin/ls
  • /usr/local/bin/cat
  • /usr/local/bin/chmod
  • /usr/local/bin/find
  • /usr/local/bin/top
  • /etc/systemd/system/CLAMAV.service
  • /usr/bin/ls
  • /usr/bin/rm
  • /usr/bin/chmod
  • /usr/bin/kill
  • /usr/bin/cd
  • /usr/bin/find
Mounts file systems:
  • /tmp
Changes time of creation/access/modification of files:
  • /usr/bin/ls
  • /usr/bin/rm
  • /usr/bin/chmod
  • /usr/bin/kill
  • /usr/bin/cd
  • /usr/bin/find
  • /usr/bin/chattr
Network activity:
Awaits incoming connections on ports:
  • 0.0.0.0:11451
Establishes connection:
  • 8.#.8.8:53
DNS ASK:
  • co###ol.zoml.cc

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number