Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.Siggen.4448

Added to the Dr.Web virus database: 2022-03-13

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Modifies router settings:
  • /bin/nvram
Launches processes:
  • sh -c rm -rf /var/run/wgsh > /dev/null 2>&1 &
  • sh -c rm -rf /var/run/bbsh > /dev/null 2>&1 &
  • rm -rf /var/run/wgsh
  • sh -c rm -rf /var/run/pty > /dev/null 2>&1 &
  • rm -rf /var/run/bbsh
  • sh -c killall -9 arm > /dev/null 2>&1 &
  • rm -rf /var/run/pty
  • sh -c killall -9 mips > /dev/null 2>&1 &
  • sh -c killall -9 mipsel > /dev/null 2>&1 &
  • sh -c killall -9 powerpc > /dev/null 2>&1 &
  • sh -c killall -9 ppc > /dev/null 2>&1 &
  • sh -c killall -9 daemon.armv4l.mod > /dev/null 2>&1 &
  • sh -c killall -9 daemon.i686.mod > /dev/null 2>&1 &
  • sh -c killall -9 daemon.mips.mod > /dev/null 2>&1 &
  • sh -c killall -9 daemon.mipsel.mod > /dev/null 2>&1 &
  • sh -c kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &
  • sh -c rm -rf /tmp/.xs/* > /dev/null 2>&1 &
  • cat /tmp/.xs/*.pid
  • sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
  • rm -rf /tmp/.xs/*
  • touch -acmr /bin/ls <SAMPLE_FULL_PATH>
  • sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1
  • crontab -l
  • grep -v <SAMPLE_FULL_PATH>
  • grep -v no cron
  • grep -v lesshts/run.sh
  • sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x001804289383
  • sh -c crontab /var/run/.x001804289383
  • crontab /var/run/.x001804289383
  • sh -c rm -rf /var/run/.x001804289383
  • rm -rf /var/run/.x001804289383
  • sh -c /bin/uname -n
  • sh -c nvram get router_name
  • /bin/uname -n
Attempts to kill the following processes:
  • killall -9 arm
  • killall -9 mips
  • killall -9 mipsel
  • killall -9 powerpc
  • killall -9 ppc
  • killall -9 daemon.armv4l.mod
  • killall -9 daemon.i686.mod
  • killall -9 daemon.mips.mod
  • killall -9 daemon.mipsel.mod
Performs operations with the file system:
Modifies file access rights:
  • /var/spool/cron/crontabs/tmp.6KHXwX
Creates or modifies files:
  • /var/run/.x001804289383
  • /run/.x001804289383
  • /var/spool/cron/crontabs/tmp.6KHXwX
Deletes files:
  • /var/run/wgsh
  • /var/run/bbsh
  • /var/run/pty
  • /tmp/.xs/*
  • /var/run/.x001804289383
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:63008
Connects to the following servers over the IRC protocol:
  • Server: 66.##8.182.1; Command: NICK x86|x|0|129260|unknown\nUSER x00 localhost localhost :2021r\n
  • Server: 66.##8.182.1; Command: NICK x86|x|0|129260|unknown\n
  • Server: 66.##8.182.1; Command: MODE x86|x|0|129260|unknown -xi\n
  • Server: 66.##8.182.1; Command: JOIN #0x86 :777\n
Other:
Collects OS information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number