DLA UŻYTKOWNIKÓW

My library

+ Add to library

Search

24/7 Tech support | Rules regarding submitting

Send a message

Call us

+7 (495) 789-45-86

Forum

PL

RU CN DE EN ES FR IT JP KZ UZ PL BY

Support services

Dr.Web vxCube

Sign in to Dr.Web vxCube

VCI investigations

Virus library

Knowledge base

Technologies

Terminology

Training and education

Myths

Myths about anti-viruses

Linux.Siggen.2900

Added to the Dr.Web virus database: 2020-05-12

Virus description added: 2020-05-12

Technical Information

Malicious functions:

Launches itself as a daemon

Substitutes application name for:

/var/Sofia

Modifies firewall settings:

iptables -F

Manages services:

systemctl -p CanReload show cron.service
systemctl -p LoadState show cron.service
/bin/systemctl stop cron.service

Launches processes:

sh -c iptables -F >/dev/null 2>&1
sh -c /etc/init.d/cron stop >/dev/null 2>&1
/etc/init.d/cron stop
run-parts --lsbsysinit --list /lib/lsb/init-functions.d
readlink -f /etc/init.d/cron
sh -c /etc/init.d/crond stop >/dev/null 2>&1
/etc/init.d/crond stop

Kills system processes:

sshd

Kills the following processes:

run.sh

Performs operations with the file system:

Modifies file access rights:

/bin/systemctl

Network activity:

Awaits incoming connections on ports:

0.0.0.0:9105

Establishes connection:

8.#.8.8:53
37.##.226.209:9990
37.##.226.209:28344

Attacks using a special dictionary (brute-force technique) via the Telnet protocol.

Sends data to the following servers:

20#.##.120.64:23
90.##.116.67:23
13#.##3.15.78:23
15#.##8.86.153:23
18#.##7.120.240:23
70.##.250.43:23
14.##.82.45:23
10#.##.31.164:23
58.##8.81.20:23

Curing recommendations

Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number