Linux.Siggen.3301
Added to the Dr.Web virus database:
2020-09-09
Virus description added:
2020-09-08
Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- /etc/rc.local
- /etc/profile.d/bash_config
- /etc/profile.d/linux.sh
- /etc/profile.d/bash_config.sh
- /etc/init.d/cron
- /etc/init.d/ssh
- /etc/init.d/udev
- /etc/init.d/linux_kill
- /etc/crontab
- /etc/init.d/.depend.boot
- /etc/init.d/.depend.start
- /etc/init.d/.depend.stop
Creates or modifies the following symlinks:
- /etc/rc0.d/linux_kill
- /etc/rc1.d/linux_kill
- /etc/rc2.d/linux_kill
- /etc/rc3.d/linux_kill
- /etc/rc4.d/linux_kill
- /etc/rc5.d/linux_kill
- /etc/rc6.d/linux_kill
- /etc/rc2.d/S01linux_kill
- /etc/rc3.d/S01linux_kill
- /etc/rc4.d/S01linux_kill
- /etc/rc5.d/S01linux_kill
Malicious functions:
Replaces the following system files:
Manages services:
- update-rc.d linux_kill defaults
- systemctl daemon-reload
- systemctl enable linux.service
Launches processes:
- /bin/bash -c chmod 0755 /etc/32679
- chmod 0755 /etc/32679
- /etc/32679
- <SAMPLE_FULL_PATH>
- sleep 30
- /bin/bash -c echo \"#!/bin/sh\" > /etc/profile.d/linux.sh
- /bin/bash -c
- /bin/bash -c echo -e \"#!/bin/sh\n/usr/lib/libdlrpcld.so\" > /.img
- /bin/bash -c echo -e \"#!/bin/sh\n BEGIN INIT INFO\n#chkconfig: 2345 10 90\n#description:System.img.config\n# Default-Start: 2 3 4 5\n# Default-Stop: \n END INIT INFO\n/boot/System.img.config\nexit 0\" > /etc/init.d/linux_kill;chmod +x /etc/init.d/linux_kill
- /bin/bash -c echo \"* * * * * root /.img \" >> /etc/crontab
- chmod +x /etc/init.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill
- /bin/bash -c chmod 0755 /.img
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill
- chmod 0755 /.img
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc0.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc0.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc1.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc1.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc1.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc1.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc2.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc2.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc2.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc2.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc3.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc3.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc3.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc3.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc4.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc4.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc4.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc4.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc5.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc5.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc5.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc5.d/linux_kill
- /bin/bash -c ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc6.d/linux_kill
- ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc6.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rc6.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rc6.d/linux_kill
- /bin/bash -c ln -s /etc/init.d/linux_kill /etc/rcS.d/linux_kill
- ln -s /etc/init.d/linux_kill /etc/rcS.d/linux_kill
- /bin/bash -c update-rc.d linux_kill defaults;chkconfig --add linux_kill
- /sbin/insserv linux_kill
- /bin/bash -c echo -e \"[Unit]\nDescription=\n[Service]\nType=forking\nExecStart=/boot/System.img.config\nExecReload=/boot/System.img.config\nExecStop=/boot/System.img.config\n[Install]\nWantedBy=multi-user.target\" > /etc/systemd/system/linux.service;chmod +x /etc/systemd/system/linux.service;systemctl enable linux.service
- chmod +x /etc/systemd/system/linux.service
Performs operations with the file system:
Modifies file access rights:
- /etc/32679
- /etc/init.d/linux_kill
- /.img
- /etc/systemd/system/linux.service
Creates folders:
Creates symlinks:
Creates or modifies files:
- /etc/id.services.conf
- /etc/32679
- /dev/.img
- /boot/System.img.config
- /usr/lib/libdlrpcld.so
- /lib/system-monitor
- /usr/sbin/ifconfig.conf
- /usr/bin/find
- /usr/bin/lsof
- /.img
- /etc/systemd/system/linux.service
Network activity:
Establishes connection:
- 8.#.8.8:53
- 10#.###.142.134:12345
DNS ASK:
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息