[ LUGOS ] Re: Linux virus

Miha Tomsic miha.tomsic na guest.arnes.si
Ned Nov 15 08:51:28 CET 1998 

	Hojla!

> --------------------------
> Name: Linux/Bliss
> Alias: Bliss, Linux virus, Unix virus, HLLO.17892 Size: 17892 
> 
> This virus spreads only under Linux operating system, infecting 
> Elf-style executables. Found in the wild in February 1997, Bliss is 
> the second known Linux virus (first being Staog). 
> 
> Bliss locates binaries with write access and overwrites them with it's own code. When an infected file is executed, the original program does not gain control at all. However, it is still possible to clean infected files. 
> 
> Bliss does not try to subvert any additional user rights, but it does have some basic worm-like features, looking for new hosts to infect via the /etc/hosts.equiv file. 
> 
> Bliss contains several text strings, including: 
> 
> dedicated to rkd
> infected by bliss
> skipping, infected with same vers or different type replacing older version
> replacing ourselves with newer version
> infect() returning success
> successfully (i hope) disinfected
> rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s' doing do_worm_stuff()
> /etc/hosts.equiv
> Compiled on Sep 28 1996 at 22:24:03
> Written by electric eel.
> help? hah! read the source!
> bliss was run %d sex ago, rep_wait=%d
> /usr/spool/news
> GCC: (GNU) 2.7.2.l.2 
> 
> Bliss does contain potentionally harmful code, but it is unclear if this is executed or not. 
> 
> Bliss can be detected by searching all binaries for the following hex search string: 
> 
> E8ABD8FFFFC20000363465643134373130363532 
> 
> Bliss will disinfect itself if an infected binary is executed with the --bliss-disinfect-files-please switch. 
> 
> ---------------------------
> 
> Name: Linux/Staog
> Alias: Staog
> Size: 4744 
> 
> This virus spreads only under Linux operating system, infecting Elf-style executables. Found in the fall of 1996, Staog is the first known Linux virus. 
> 
> Staog is written in assembler. It attempts to stay resident and infect binaries as they are executed by any user. Stoag tries to subvert root access via three known vulnerabilities (mount buffer overflow, tip buffer overflow and one suidperl bug). 
> 
> Staog contains several text strings, including: 
> 
> Staog by Quantum / VLAD
> /dev/kmemx/etc/mtab~
> /sbin/mount
> /tmp/t.dip
> /bin/sh
> /sbin/dip /tmp/t.dip
> chatkey
> /tmp/hs
> #!/bin/sh\nchmod 666 /dev/kmem\n/tmp/hs
> #!/usr/bin/suidperl -U\n$ENV{PATH}=\"/bin:/usr/bin\"; \n$>=0;$<=0;\nexec(\"chmod 666 /dev/kmem\");\n 
> 
> VLAD is an Australian virus group, which also wrote the first Windows 95 virus, Boza. 
> 
> Staog can be detected by searching all binaries for the following hex search string: 
> 
> 215B31C966B9FF0131C0884309884314B00FCD80 
> 
> Staog is not known to be in the wild at the time of this writing (February 1997). 

Kaksen komentar na tole? Tale tekst izvira iz F-Prota.

	Mikka - aalte saakker...

 - Miha Tomsic --- C. na postajo 55 -- SI-1351 Brezovica pri Lj. --- SLOVENIA -
 - home-made -- electronics -- music -- industrial -- physics -- net -- linux -
 - phylosophy -- poetry -- arts ---- Lower Parts of Abdomen ---- Josef Banale -

Dodatne informacije o seznamu Starilist