JavaScript support is required for our site to be fully operational in your browser.
Linux.Siggen.3156
Added to the Dr.Web virus database:
2020-06-23
Virus description added:
2020-06-23
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
/etc/inittab
/var/spool/cron/crontabs/root
/etc/rc.local
Malicious functions:
Substitutes application name for:
Modifies router settings:
Launches processes:
sh -c cat /etc/inittab | grep -v \"<SAMPLE_FULL_PATH>\" > /etc/inittab2
sh -c crontab -l | grep <SAMPLE_FULL_PATH> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
sh -c crontab -r
cat /etc/inittab
crontab -r
grep -v <SAMPLE_FULL_PATH>
crontab -l
grep <SAMPLE_FULL_PATH>
grep -v no cron
sh -c echo \"0:2345:respawn:<SAMPLE_FULL_PATH>\" >> /etc/inittab2
crontab -
sh -c cat /etc/inittab2 > /etc/inittab
cat /etc/inittab2
sh -c rm -rf /etc/inittab2
rm -rf /etc/inittab2
sh -c touch -acmr /bin/ls /etc/inittab
touch -acmr /bin/ls /etc/inittab
sh -c cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
sh -c nvram get router_name
sh -c /bin/uname -n
cp -f <SAMPLE_FULL_PATH> /dev/shm/<SAMPLE>
/bin/uname -n
sh -c cat /etc/inittab | grep -v \"/dev/shm/<SAMPLE>\" > /etc/inittab2
sh -c crontab -l | grep /dev/shm/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
grep -v /dev/shm/<SAMPLE>
grep /dev/shm/<SAMPLE>
sh -c echo \"0:2345:respawn:/dev/shm/<SAMPLE>\" >> /etc/inittab2
sh -c cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
cp -f <SAMPLE_FULL_PATH> /var/tmp/<SAMPLE>
sh -c cat /etc/inittab | grep -v \"/var/tmp/<SAMPLE>\" > /etc/inittab2
sh -c crontab -l | grep /var/tmp/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
grep -v /var/tmp/<SAMPLE>
grep /var/tmp/<SAMPLE>
sh -c echo \"0:2345:respawn:/var/tmp/<SAMPLE>\" >> /etc/inittab2
sh -c cp -f <SAMPLE_FULL_PATH> /var/lock/<SAMPLE>
cp -f <SAMPLE_FULL_PATH> /var/lock/<SAMPLE>
sh -c cat /etc/inittab | grep -v \"/var/lock/<SAMPLE>\" > /etc/inittab2
sh -c crontab -l | grep /var/lock/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
grep /var/lock/<SAMPLE>
grep -v /var/lock/<SAMPLE>
sh -c echo \"0:2345:respawn:/var/lock/<SAMPLE>\" >> /etc/inittab2
sh -c cp -f <SAMPLE_FULL_PATH> /var/run/<SAMPLE>
cp -f <SAMPLE_FULL_PATH> /var/run/<SAMPLE>
sh -c cat /etc/inittab | grep -v \"/var/run/<SAMPLE>\" > /etc/inittab2
sh -c crontab -l | grep /var/run/<SAMPLE> | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/<SAMPLE> > /dev/null 2>&1 &\") | crontab - > /dev/null 2>&1 &
grep -v /var/run/<SAMPLE>
grep /var/run/<SAMPLE>
sh -c echo \"0:2345:respawn:/var/run/<SAMPLE>\" >> /etc/inittab2
Performs operations with the file system:
Modifies file access rights:
/var/spool/cron/crontabs/tmp.hF4NXg
/var/spool/cron/crontabs/tmp.5DY6tK
/var/spool/cron/crontabs/tmp.tS736L
/var/spool/cron/crontabs/tmp.l6Oy31
/var/spool/cron/crontabs/tmp.Riz8ip
Creates or modifies files:
/etc/inittab2
/var/spool/cron/crontabs/tmp.hF4NXg
/dev/shm/<SAMPLE>
/var/spool/cron/crontabs/tmp.5DY6tK
/var/tmp/<SAMPLE>
/var/spool/cron/crontabs/tmp.tS736L
/var/lock/<SAMPLE>
/run/lock/<SAMPLE>
/var/spool/cron/crontabs/tmp.l6Oy31
/var/run/<SAMPLE>
/run/<SAMPLE>
/var/spool/cron/crontabs/tmp.Riz8ip
Deletes files:
Locks files:
Network activity:
Awaits incoming connections on ports:
Establishes connection:
Connects to the following servers over the IRC protocol:
Server: 68.##.253.100; Command: NICK Mps|e|0|1458100|box-mips\nUSER muhstik localhost localhost :muhstik-11052018\n
Server: 18#.#1.149.22; Command: NICK Mps|e|0|1458100|box-mips\nUSER muhstik localhost localhost :muhstik-11052018\n
Server: 18#.#1.149.22; Command: PONG :46A9320C\n
Server: 18#.#1.149.22; Command: MODE Mps|e|0|1458100|box-mips -xi\n
Server: 18#.#1.149.22; Command: JOIN #em :8974\n
Server: 18#.#1.149.22; Command: WHO Mps|e|0|1458100|box-mips\n
DNS ASK:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK