La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Linux.Siggen.7953

Aggiunto al database dei virus Dr.Web: 2024-08-17

La descrizione è stata aggiunta:

Technical Information

Malicious functions:
Removes itself
Substitutes application name for:
  • [kworker/u2:49]
  • [kworker/u1:1]
Manages services:
  • ['systemctl', 'daemon-reload']
  • ['systemctl', 'enable', 'bot.service']
  • ['systemctl', 'start', 'bot.service']
Launches processes:
  • /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.WFCxFh /tmp/apt.data.pYtN6h
  • readlink -f /tmp/apt-key-gpghome.sY8xng9Kv2
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
  • rm -f /tmp/apt-key-gpghome.sY8xng9Kv2/pubring.gpg
  • apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
  • mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
  • touch /tmp/apt-key-gpghome.sY8xng9Kv2/pubring.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
  • apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
  • readlink -f /etc/apt/trusted.gpg.d/
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
  • apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
  • /usr/lib/apt/methods/https
  • apt-config shell GPGV Apt::Key::gpgvcommand
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
  • chmod 700 /tmp/apt-key-gpghome.sY8xng9Kv2
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
  • apt-get update
  • apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
  • apt-get --fix-broken install
  • cat /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
  • find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 ( -name *.gpg -o -name *.asc )
  • /usr/bin/dpkg --print-foreign-architectures
  • sort
  • cmp --silent --bytes=1 - /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
  • apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
  • cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
  • cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
  • apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
  • apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
  • /usr/lib/apt/methods/http
  • /usr/lib/apt/methods/gpgv
Kills the following processes:
  • rcu_tasks_trace
  • ata_sff
  • scsi_eh_0
  • scsi_tmf_0
  • scsi_eh_1
  • scsi_tmf_1
  • ksoftirqd/0
  • rcu_sched
  • migration/0
  • jbd2/sda1-8
  • ext4-rsv-conver
  • cpuhp/0
  • kdevtmpfs
  • netns
  • kauditd
  • kthreadd
  • khungtaskd
  • oom_reaper
  • writeback
  • kcompactd0
  • ksmd
  • khugepaged
  • ttm_swap
  • rcu_gp
  • kworker/u2:4
  • rcu_par_gp
  • kintegrityd
  • kblockd
  • blkcg_punt_bio
  • edac-poller
  • devfreq_wq
  • kworker/0:1H
  • kworker/0:0
  • kworker/0:2
  • kswapd0
  • kthrotld
  • acpi_thermal_pm
  • ipv6_addrconf
  • kworker/u2:1
  • kworker/0:1
  • kworker/0:0H
  • kstrp
  • zswap-shrink
  • kworker/u3:0
  • 9bc2fd2a
  • kworker/u2:0
  • mm_percpu_wq
  • rcu_tasks_rude_
  • <SAMPLE>
  • http
  • gpgv
Performs operations with the file system:
Modifies file access rights:
  • /var/cache/apt/archives/partial
  • /var/lib/apt/lists/auxfiles
  • /var/lib/apt/lists/partial
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt-key-gpghome.sY8xng9Kv2
Modifies file owner:
  • /var/cache/apt/archives/partial
  • /var/lib/apt/lists/auxfiles
  • /var/lib/apt/lists/partial
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
Creates folders:
  • /tmp/apt-key-gpghome.sY8xng9Kv2
Creates or modifies files:
  • /etc/systemd/system/bot.service
  • /tmp/bot-start.sh
  • /tmp/#130834 (deleted)
  • /var/lib/dpkg/lock-frontend
  • /var/lib/dpkg/lock
  • /var/cache/apt/archives/lock
  • /var/lib/apt/lists/lock
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.qleT54
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.fWYh42
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.K0hIT2
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.Oj6BX0
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /tmp/apt.conf.TjMdNj
  • /tmp/apt.sig.WFCxFh
  • /tmp/apt.data.pYtN6h
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt-key-gpghome.sY8xng9Kv2/pubring.gpg
Deletes files:
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.qleT54
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.fWYh42
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.K0hIT2
  • /var/lib/apt/lists/partial/.apt-acquire-privs-test.Oj6BX0
Changes time of creation/access/modification of files:
  • /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_bullseye-security_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye_InRelease
  • /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bullseye-updates_InRelease
  • /var/lib/apt/lists/partial/download.docker.com_linux_debian_dists_bullseye_InRelease
  • /tmp/apt-key-gpghome.sY8xng9Kv2/pubring.gpg
Network activity:
Awaits incoming connections on ports:
  • 127.0.0.1:9999
Establishes connection:
  • 45.##.28.202:5111
  • 8.#.8.8:53
  • [2##########78c:a400:3:db06:4200:93a1]:443
  • (e##val)
  • [2##########78c:c600:3:db06:4200:93a1]:443
  • [2##########78c:9c00:3:db06:4200:93a1]:443
  • [2##########78c:3a00:3:db06:4200:93a1]:443
  • [2##########78c:4e00:3:db06:4200:93a1]:443
  • [2##########78c:6000:3:db06:4200:93a1]:443
  • [2##########78c:d000:3:db06:4200:93a1]:443
  • [2##########78c:f000:3:db06:4200:93a1]:443
  • 3.###.68.127:443
  • 3.###.68.76:443
  • 3.###.68.87:443
  • 3.###.68.13:443
  • 14#.##.118.132:80
  • [2#####e42:8d::644]:80
DNS ASK:
  • _h####.##cp.download.docker.com
  • _h###.###p.security.debian.org
  • _h###.##cp.deb.debian.org
  • de####.#ap.fastlydns.net
  • do####ad.docker.com
Sends data to the following servers:
  • 14#.##.118.132:80
  • 3.###.68.127:443
Receives data from the following servers:
  • 14#.##.118.132:80
  • 3.###.68.127:443

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number