Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.1440

Added to the Dr.Web virus database: 2019-02-21

Virus description added:

Technical Information

Malicious functions:
Gains root privileges
Launches itself as a daemon
Launches processes:
  • /bin/sh <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/sh <SAMPLE_FULL_PATH> -c
  • wget https://indirsh.tk/sistem/duyuruen.php -q -O -
  • wget https://indirsh.tk/sistem/tarih.php -q -O -
  • wget https://indirsh.tk/sistem/engelli/.php -q -O -
  • wget https://indirsh.tk/sistem/mesaj.php -q -O -
  • wget https://indirsh.tk/Special/sinalfalink.php -q -O -
  • clear
  • grep CentOS
  • grep ^NAME
  • cat /etc/os-release
  • su root -c echo -e '\033[1;32mCurl Not Found Installing...\033[0m'
  • bash -c echo -e '\033[1;32mCurl Not Found Installing...\033[0m'
  • apt-get -qq update
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
  • /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.B9yJKu /tmp/apt.data.mkXN7i
Kills the following processes:
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
Performs operations with the file system:
Creates or modifies files:
  • /var/lib/apt/lists/lock
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /tmp/apt.sig.B9yJKu
  • /tmp/apt.data.mkXN7i
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
Deletes files:
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 18#.##6.205.130:443
  • 21#.##6.149.233:80
  • [2#######8:dc41:100::233]:80
  • [2#########:1:216:35ff:fe7f:6ceb]:80
  • [2#####e42:3a::204]:80
HTTP GET requests:
  • ft#.##.######.org/debian/dists/jessie/InRelease
  • se######.#####n.org/dists/jessie/updates/InRelease
  • ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
  • se##########.##bian.org/dists/jessie/updates/InRelease
  • ft#.##.######.org/debian/dists/jessie/Release.gpg
  • ft#.##.######.org/debian/dists/jessie/Release
DNS ASK:
  • in##rsh.tk
  • se####ty.debian.org
  • ft#.##.debian.org
  • se#####y-cdn.debian.org
Sends data to the following servers:
  • 18#.##6.205.130:443
Receives data from the following servers:
  • 18#.##6.205.130:443
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number