Linux.Siggen.453
Added to the Dr.Web virus database:
2018-02-26
Virus description added:
2018-02-26
Technical Information
Malicious functions:
Launches processes:
- <SAMPLE_FULL_PATH>
- route -n
- xdg-open http://127.0.0.1:8384/
- dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
- xprop -root _DT_SAVE_MODE
- grep = \\"xfce4\\"$
- xprop -root
- grep -i ^xfce_desktop_window
- uname
- grep -q ^file://
- egrep -q ^[[:alpha:]+\.\-]+:
- grep -E -q ^[[:alpha:]+\.\-]+:
- www-browser http://127.0.0.1:8384/
- gunzip
- gzip -d
Performs operations with the file system:
Creates folders:
- /root/.config
- /root/.config/syncthing
- /root/.config/syncthing/index-v0.14.0.db
- /root/Sync
- /root/Sync/.stfolder
- /root/.w3m
Creates or modifies files:
- /root/.config/syncthing/cert.pem
- /root/.config/syncthing/key.pem
- /root/.config/syncthing/.syncthing.tmp.212121685
- /root/.config/syncthing/index-v0.14.0.db/LOCK
- /root/.config/syncthing/index-v0.14.0.db/LOG
- /root/.config/syncthing/index-v0.14.0.db/MANIFEST-000000
- /root/.config/syncthing/index-v0.14.0.db/CURRENT.0
- /root/.config/syncthing/index-v0.14.0.db/000001.log
- /root/.config/syncthing/https-cert.pem
- /root/.config/syncthing/https-key.pem
- /root/.config/syncthing/.syncthing.tmp.024659888
- /root/.config/syncthing/.syncthing.tmp.054564687
- /root/.w3m/w3mtmp714-0.gz
Deletes files:
- /root/.config/syncthing/.syncthing.tmp.212121685"
- /root/.config/syncthing/.syncthing.tmp.024659888"
- /root/.config/syncthing/.syncthing.tmp.054564687"
- /root/.w3m/w3mtmp714-0.gz"
Network activity:
Awaits incoming connections on ports:
- 127.0.0.1:8384
- 0.0.0.0:21027
Establishes connection:
HTTP GET requests:
DNS ASK:
- re####.syncthing.net
- di######y-v4.syncthing.net
- di######y-v6.syncthing.net
- st##.##unterpath.com
- st##.schlund.de
- up#####s.syncthing.net
Sends data to the following servers:
- [f####:8384]:21027
- 19#.###.200.255:21027
- 23#.###.255.250:1900
- [:######216.93.246.18]:3478
- <LOCAL_DNS_SERVER>51
- 51.##.92.95:443
- 46.###.130.230:443
- [:######212.227.67.34]:3478
- [:######212.227.67.33]:3478
- 127.0.0.1:59812
- 78.###.42.155:443
Receives data from the following servers:
- <LOCAL_DNS_SERVER>51
- 51.##.92.95:443
- 46.###.130.230:443
- 127.0.0.1:59812
- 78.###.42.155:443
Other:
Collects RAM information
Collects information about network activity
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息