JavaScript support is required for our site to be fully operational in your browser.
Linux.Siggen.2960
Added to the Dr.Web virus database:
2020-05-16
Virus description added:
2020-05-16
Technical Information
Malicious functions:
Launches itself as a daemon
Substitutes application name for:
Replaces the following system files:
Launches processes:
/bin/sh -c mkdir app && >app/lib && cd app/lib; mv <SAMPLE_FULL_PATH> app/lib; chmod 777 app/lib
mkdir app
mv <SAMPLE_FULL_PATH> app/lib
chmod 777 app/lib
/bin/sh -c cd /bin/; cat tftp > tftp-cpy; cat /proc/692/exe > tftp ; chmod 777 tftp
cat tftp
cat /proc/692/exe
chmod 777 tftp
/bin/sh -c cd /bin/; cat rm > rm-cpy; cat /proc/692/exe > rm ; chmod 777 rm
cat rm
chmod 777 rm
/bin/sh -c cd /bin/; cat cd > cd-cpy; cat /proc/692/exe > cd ; chmod 777 cd
cat cd
chmod 777 cd
/bin/sh -c cd /bin/; cat wget > wget-cpy; cat /proc/692/exe > wget ; chmod 777 wget
cat wget
chmod 777 wget
/bin/sh -c cd /bin/; cat echo > echo-cpy; cat /proc/692/exe > echo ; chmod 777 echo
cat echo
chmod 777 echo
/bin/sh -c cd /sbin/; cat tftp > tftp-cpy; cat /proc/692/exe > tftp ; chmod 777 tftp
/bin/sh -c cd /sbin/; cat rm > rm-cpy; cat /proc/692/exe > rm ; chmod 777 rm
/bin/sh -c cd /sbin/; cat cd > cd-cpy; cat /proc/692/exe > cd ; chmod 777 cd
/bin/sh -c cd /sbin/; cat wget > wget-cpy; cat /proc/692/exe > wget ; chmod 777 wget
/bin/sh -c cd /sbin/; cat echo > echo-cpy; cat /proc/692/exe > echo ; chmod 777 echo
Kills system processes:
Performs operations with the file system:
Modifies file access rights:
/root/app/lib
/bin/tftp
/bin/rm
/bin/cd
/bin/wget
/bin/echo
/sbin/tftp
/sbin/rm
/sbin/cd
/sbin/wget
/sbin/echo
Creates folders:
Creates or modifies files:
/root/app/lib
<SAMPLE_FULL_PATH>
/bin/tftp-cpy
/bin/tftp
/bin/rm-cpy
/bin/rm
/bin/cd-cpy
/bin/cd
/bin/wget-cpy
/bin/echo-cpy
/bin/echo
/sbin/tftp-cpy
/sbin/tftp
/sbin/rm-cpy
/sbin/rm
/sbin/cd-cpy
/sbin/cd
/sbin/wget-cpy
/sbin/echo-cpy
/sbin/echo
Network activity:
Awaits incoming connections on ports:
Establishes connection:
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
DNS ASK:
Sends data to the following servers:
13#.##8.112.116:23
18#.##2.54.13:23
28.##.4.82:23
17#.##1.65.43:23
20#.##6.60.71:23
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK