Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.453

Added to the Dr.Web virus database: 2018-02-26

Virus description added:

Technical Information

Malicious functions:
Launches processes:
  • <SAMPLE_FULL_PATH>
  • route -n
  • xdg-open http://127.0.0.1:8384/
  • dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  • xprop -root _DT_SAVE_MODE
  • grep = \\"xfce4\\"$
  • xprop -root
  • grep -i ^xfce_desktop_window
  • uname
  • grep -q ^file://
  • egrep -q ^[[:alpha:]+\.\-]+:
  • grep -E -q ^[[:alpha:]+\.\-]+:
  • www-browser http://127.0.0.1:8384/
  • gunzip
  • gzip -d
Performs operations with the file system:
Creates folders:
  • /root/.config
  • /root/.config/syncthing
  • /root/.config/syncthing/index-v0.14.0.db
  • /root/Sync
  • /root/Sync/.stfolder
  • /root/.w3m
Creates or modifies files:
  • /root/.config/syncthing/cert.pem
  • /root/.config/syncthing/key.pem
  • /root/.config/syncthing/.syncthing.tmp.212121685
  • /root/.config/syncthing/index-v0.14.0.db/LOCK
  • /root/.config/syncthing/index-v0.14.0.db/LOG
  • /root/.config/syncthing/index-v0.14.0.db/MANIFEST-000000
  • /root/.config/syncthing/index-v0.14.0.db/CURRENT.0
  • /root/.config/syncthing/index-v0.14.0.db/000001.log
  • /root/.config/syncthing/https-cert.pem
  • /root/.config/syncthing/https-key.pem
  • /root/.config/syncthing/.syncthing.tmp.024659888
  • /root/.config/syncthing/.syncthing.tmp.054564687
  • /root/.w3m/w3mtmp714-0.gz
Deletes files:
  • /root/.config/syncthing/.syncthing.tmp.212121685"
  • /root/.config/syncthing/.syncthing.tmp.024659888"
  • /root/.config/syncthing/.syncthing.tmp.054564687"
  • /root/.w3m/w3mtmp714-0.gz"
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:8384
  • 0.0.0.0:21027
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 46.###.130.230:443
  • 51.##.92.95:9
  • 51.##.215.88:9
  • 51.##.92.95:443
  • [2######8:4400:2200::c39]:9
  • [2######8:4700:2000::515]:9
  • [2#######:4400:2200::c39]:443
  • [2#######:4700:2000::515]:443
  • <LOCAL_DNS_SERVER>51
  • 21#.#27.67.34:9
  • 21#.#27.67.33:9
  • 21#.###.217.18:22067
  • 20#.###.146.36:22067
  • 46.##.250.207:993
  • 37.###.57.69:22067
  • 94.##.122.162:443
  • 5.###.179.192:22067
  • 31.###.45.3:22067
  • 13#.##.36.151:22067
  • 15#.##.170.183:22067
  • 19#.##.175.39:22067
  • 2.#.##.109:22067
  • 16#.###.160.227:22067
  • 16#.##.83.235:22067
  • 21#.###.205.247:22067
  • 45.##.172.54:22067
  • 46.###.18.182:22067
  • 79.###.213.84:22067
  • 86.###.149.216:22067
  • 10#.###.145.187:22067
  • 12#.###.219.85:22067
  • 46.###.56.132:63988
  • 16#.##2.179.61:8443
  • 10#.###.199.119:22067
  • 15#.##3.30.69:443
  • 16#.###.182.254:22067
  • 51.###.35.66:22067
  • 51.##.56.101:22067
  • 88.##.175.206:22067
  • 19#.###.196.10:22067
  • 10#.##.10.61:443
  • 17#.###.217.42:22067
  • 10#.###.218.29:22067
  • 86.###.73.22:22067
  • 16#.##6.157.114:443
  • 86.###.110.238:22067
  • 89.##.39.108:22067
  • 14#.###.234.88:22067
  • 21#.###.231.216:22067
  • 95.##.71.20:22067
  • 15#.#.77.158:22067
  • 83.###.51.14:443
  • 91.###.229.68:22067
  • 83.###.144.57:22067
  • 51.###.75.9:22067
  • 10#.###.154.59:22067
  • 11#.###.177.157:22067
  • 17#.##.219.195:22067
  • 80.###.118.62:8080
  • 80.###.192.102:22067
  • 19#.###.147.150:22067
  • 94.###.67.138:22067
  • 21#.##.158.110:22067
  • 5.#.#6.38:22067
  • 21#.###.53.178:22067
  • 19#.##9.226.6:443
  • 85.###.216.244:22067
  • 46.###.130.230:9
  • [2#######0:3:d0::18d6:8001]:9
  • 94.###.57.172:443
  • 16#.###.181.231:22067
  • 20#.###.135.76:22067
  • 22#.##1.38.55:8067
  • 10#.##0.6.122:8080
  • 65.##.142.180:22067
  • 78.###.42.155:443
  • 21#.###.161.120:22067
  • 21#.##.25.30:27040
  • 18#.###.143.60:22067
  • 16#.##9.130.8:10902
  • 46.##.48.180:22067
  • 16#.###.24.229:22067
  • 92.###.95.0:22067
  • 18#.##.171.192:443
  • 64.###.224.30:443
  • 11#.###.44.148:17607
  • 10#.##0.56.60:443
  • 13#.##.43.68:22067
  • 79.###.32.223:22067
  • 94.###.105.96:443
  • 89.##.74.106:80
  • 21#.###.171.119:22067
  • 36.###.125.74:22067
  • 46.##.254.41:22067
  • 69.###.114.223:22067
  • 14#.###.52.153:22067
  • 18#.###.214.181:22067
  • 94.###.167.148:22067
  • 16#.##2.85.202:443
  • 16#.###.147.209:22067
  • 77.##.145.221:22067
  • 84.###.16.50:443
  • 13#.###.96.164:22067
  • 14#.##.71.91:22067
  • 10#.##.183.249:22067
  • 90.##.215.17:22067
  • 77.##.215.121:22067
  • 14#.##.27.100:443
  • 69.##.201.138:22067
  • 21#.##.221.154:8080
  • 77.##.78.148:22067
  • 17#.##0.8.190:22067
  • 17#.##.221.151:22067
  • 21#.##.253.154:22067
  • 10#.##3.225.93:443
  • 78.##.248.86:443
  • 18#.##.167.63:22067
  • 18#.###.141.93:22067
  • 14#.###.88.132:22067
  • 94.###.44.20:22067
  • 21#.##.15.128:22067
  • 16#.###.132.71:22067
  • 94.###.98.21:22067
  • 19#.###.49.122:22067
  • 19#.###.110.10:22067
  • 10#.#.22.165:35752
HTTP GET requests:
  • 127.0.0.1:8384/
DNS ASK:
  • re####.syncthing.net
  • di######y-v4.syncthing.net
  • di######y-v6.syncthing.net
  • st##.##unterpath.com
  • st##.schlund.de
  • up#####s.syncthing.net
Sends data to the following servers:
  • [f####:8384]:21027
  • 19#.###.200.255:21027
  • 23#.###.255.250:1900
  • [:######216.93.246.18]:3478
  • <LOCAL_DNS_SERVER>51
  • 51.##.92.95:443
  • 46.###.130.230:443
  • [:######212.227.67.34]:3478
  • [:######212.227.67.33]:3478
  • 127.0.0.1:59812
  • 78.###.42.155:443
Receives data from the following servers:
  • <LOCAL_DNS_SERVER>51
  • 51.##.92.95:443
  • 46.###.130.230:443
  • 127.0.0.1:59812
  • 78.###.42.155:443
Other:
Collects RAM information
Collects information about network activity

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number