JavaScript support is required for our site to be fully operational in your browser.
Linux.Siggen.5678
Added to the Dr.Web virus database:
2023-10-06
Virus description added:
2023-10-06
Technical Information
Malicious functions:
Operates the following kernel modules:
nf_defrag_ipv4
nf_defrag_ipv6
nf_conntrack
nf_conntrack_netlink
Launches processes:
iptables -w -t filter -I INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP
iptables -w -t filter -D INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP >/dev/null 2>&1
/usr/sbin/xtables-nft-multi iptables -w -t filter -I INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP
modprobe nfnetlink >/dev/null 2>&1 || insmod nfnetlink.ko >/dev/null 2>&1
iptables -w -h > /dev/null 2>&1
iptables -w -t filter -D INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT 2>/dev/null
curl --connect-timeout 60 -m 120 -k --request GET --url https://whoami.nie.netease.com/v1 --header \x27x-auth-product: uu\x27 --header \x27x-auth-token: token.PrdkAfGROQQ9\x27 2>/
iptables -w -t filter -L -n >/dev/null 2>&1
/usr/bin/kmod modprobe nf_conntrack_netlink
rm /tmp/.uu_whoami.txt
/usr/sbin/xtables-nft-multi iptables -w -t filter -D INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT
iptables -w -t filter -I INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT
/usr/sbin/xtables-nft-multi iptables -w -t filter -L -n
modprobe nf_conntrack_netlink >/dev/null 2>&1 || insmod nf_conntrack_netlink.ko >/dev/null 2>&1
wget --timeout 120 --no-check-certificate --quiet --method GET --header x-auth-product: uu --header x-auth-token: token.PrdkAfGROQQ9 --output-document - https://whoami.nie.netease.com/v1
/usr/sbin/xtables-nft-multi iptables -w -h
/usr/bin/kmod modprobe nfnetlink
/usr/sbin/xtables-nft-multi iptables -w -t filter -I INPUT -i br-lan -p tcp --dport 16363 -j ACCEPT
rm /tmp/.uu_whoami.txt 2>/dev/null
/usr/sbin/xtables-nft-multi iptables -w -t filter -D INPUT -i lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 34043 -j DROP
Performs operations with the file system:
Creates or modifies files:
/run/uuplugin.pid
/usr/sbin/uu/.uuplugin_uuid
/root/.uuplugin_uuid
/tmp/.uu_whoami.txt
Deletes files:
Locks files:
Network activity:
Awaits incoming connections on ports:
Establishes connection:
127.0.0.1:45045
127.0.0.1:34043
42.###.160.34:16000
<LOCAL_DNS_SERVER>
DNS ASK:
rg##.uu.163.com
wh####.nie.netease.com
Sends data to the following servers:
127.0.0.1:45045
42.###.160.34:16000
Receives data from the following servers:
127.0.0.1:38932
127.0.0.1:35820
127.0.0.1:35824
127.0.0.1:35826
127.0.0.1:35830
42.###.160.34:16000
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
OK