Linux.Siggen.4160
Added to the Dr.Web virus database:
2021-08-12
Virus description added:
2021-08-12
Technical Information
Malicious functions:
Performs process tracing:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Manages services:
- systemctl stop pwnrigl.service
Launches processes:
- /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
- <SAMPLE_FULL_PATH>
- /bin/bash <SAMPLE_FULL_PATH> -c
- chattr -ia /bin/-bash
- rm -rf /bin/-bash
- chattr +ia /bin/-bash
- chattr -ia /usr/bin/-bash
- rm -rf /usr/bin/-bash
- chattr +ia /usr/bin/-bash
- chattr -ia /usr/sbin/-bash
- rm -rf /usr/sbin/-bash
- chattr +ia /usr/sbin/-bash
- chattr -ia /usr/bin/dbused
- rm -rf /usr/bin/dbused
- chattr +ia /usr/bin/dbused
- chattr -ia /bin/sysmd
- rm -rf /bin/sysmd
- chattr +ia /bin/sysmd
- chattr -ia /usr/sbin/systemd
- rm -rf /usr/sbin/systemd
- chattr +ia /usr/sbin/systemd
- chattr -ia /etc/master
- rm -rf /etc/master
- chattr +ia /etc/master
- chattr -i /bin/.sh
- chattr -i /usr/lib/mysql/sh
- chattr -i /etc/.sh
- chattr -i /bin/shh
- chattr -i /sbin/https
- chattr -i /etc/spts
- chattr -i /usr/bin/.funzip
- chattr -i /etc/sphp
- rm -rf /bin/.sh
- rm -rf /usr/lib/mysql/sh
- rm -rf /etc/.sh
- rm -rf /bin/shh
- rm -rf /sbin/https
- rm -rf /etc/spts
- rm -rf /usr/bin/.funzip
- rm -rf /etc/sphp
- rm -rf /etc/.sftp
- cat /etc/.bashpid
- xargs -I % kill -9 %
- cat /etc/.qucfu.pid
- pidof .sh
Attempts to kill the following processes:
Kills the following processes:
- <SAMPLE>
- <SAMPLE_FULL_PATH>
Performs operations with the file system:
Creates or modifies files:
- /bin/-bash
- /usr/bin/-bash
- /usr/sbin/-bash
- /usr/bin/dbused
- /bin/sysmd
- /usr/sbin/systemd
- /etc/master
- /etc/ld.so.preload
Deletes files:
- /bin/-bash
- /usr/bin/-bash
- /usr/sbin/-bash
- /usr/bin/dbused
- /bin/sysmd
- /usr/sbin/systemd
- /etc/master
- /bin/.sh
- /usr/lib/mysql/sh
- /etc/.sh
- /bin/shh
- /sbin/https
- /etc/spts
- /usr/bin/.funzip
- /etc/sphp
- /etc/.sftp
Curing recommendations
Linux
Free trial
One month (no registration) or three months (registration and renewal discount)
欢迎下载
Dr.Web for Android
-
免费3个月
-
可使用所有保护组件
-
可在AppGallery/Google Pay延期
继续使用此网站意味着您同意我们使用Cookie文件和其他用于收集网站访问统计信息的技术手段。详细信息