|
From: | navneet sharma |
Subject: | [Glug-nith-discuss] virus for linux |
Date: | Mon, 13 Apr 2009 11:53:59 +0530 |
1. Linux.Bliss |
These are nonmemory resident parasitic viruses written in GNU C.
They infect Linux OS only - infected files may be executed, and the virus
may spread itself only under Linux. The viruses search for executable Linux
files (ELF internal format) and infect them. While infecting, the viruses
shift the file body down, write themselves to the beginning of the file and
append to the end of file the ID-text: "Bliss.a": infected by bliss: 00010002:000045e4 "Bliss.b": infected by bliss: 00010004:000048ac It seems that the former hex number in these lines is a virus version, and the latter is the virus length - the virus lengths are 17892 and 18604 bytes. When an infected file is run, the "Bliss.a" virus searches for not more than three non-infected files and infects them. "Bliss.b" infects more files (It is not known how much). If there are not any infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting, the viruses return control to the host program, and it will work correctly. Linux is an access-protected system; i.e., users and programs may access only files that they have permission to. The same goes for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on the computer. |
2. Linux.Diesel |
This is a relatively harmless, non-memory resident parasitic virus.
It searches for Linux executable files in system directories and subdirectories,
then writes itself to the middle of the file. Before searching files, the
virus reads its code from the host file. It moves the original bytes to the
end oNow you may ask "Why we don't have viruses to the same proportion
under Linux as we have for other proprietary OSes?" The answer to this can
be found hef the file and increases the size of the previous section. After finishing
its work, the virus restores the host and transfers control to it. The virus
contains the text string: / home root sbin bin opt [ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ] |
3. Linux.Gildo |
It is not a dangerous, memory resident parasitic virus. It was
written in the assembler language. It uses system calls (syscall) while working
with files. The virus infects ELF files. It writes itself to the middle of
the file. After starts the virus divides a main process and continues its work. The resident part scans the directories from the root. The virus checks the access right for each found file. If file has a write access the virus will infect it. While infecting file the virus increases its code section size on 4096 bytes and writes its code to the free space. After that the virus changes parameters for the ELF file upper sections and setups a new Entry point for it. The virus displays the message on each start: Gildo virus email address@hidden (for comments) The virus contains the text strings: hello, nice boys, I hope you will enjoy this program written with nasm. I want to say thanks to all my programmers friend.Bye from Gildo. The Netwide Assembler 0.98 .symtab .strtab .shstrtab .text .data .sbss .bss .comment It also contains the debug strings from the compiler: virus.asm parent parent_process ahah scan_dir c_stat others_permissions user_permissions group_permissions c_permissions is_regular_file c1_is_regular_file c2_is_regular_file is_directory c1_is_directory l_readdir skip_l_readdir e_l_readdir error_stat error_opening_file e_scan_dir infect_file open no_open_error file_length mmap c_mmap is_suitable error_suitable c1_is_suitable read_ehdr c_ehdr is_suitable_space patch_ehdr patch_e_entry patch_e_sh_offset patch_phdrs l_read_ph dont_patch_phtext dont_patch_ph patch_shdrs l_read_sh dont_patch_shtext dont_patch_sh find_current_entry_point write suit_error munmap mmap_error close open_error __exit __bss_start main _edata _end |
4. Linux.Kagob |
It is a harmless nonmemory resident parasitic Linux virus. The
virus itself is Linux executable module (ELF file). It searches for other
ELF files in the system, then infects them. While infecting the virus moved victim file contents down, and writes itself to file header. To release control to the host file the virus "disinfects" it to a temporary file and executes it. The virus does not manifest itself in any way. It body contains the "copyright" text string: Linux.Kaiowas by Gobleen Warrior//SMF |
5. Linux.Nuxbee |
This is a relatively harmless, non-memory resident parasitic Linux
virus. It searches for ELF files in the directory bin, then writes itself
to the middle of the file. The virus infects files if the current user has
administrator rights. It writes itself to the Entry point offset, encrypts
and saves original bytes at the end of a file. To restore an original file, the virus reads and encrypts the original bytes from the host file. It uses file mapping functions to infect files. All system functions are summoned by INT 80h (Sys call). The virus contains the following text string: NuxBee by Bumblebee - The NeXt Frontier |
6. Linux.Satyr |
This is a harmless non-memory resident parasitic Linux virus. The
virus is a Linux executable module (ELF file). It searches for other ELF
files in the system, and then infects them. The virus infects files in the
following directories: current directory parent directory ~/ (user root directory) ~/bin (user /bin directory) ~/sbin (user /sbin directory) /bin /sbin /usr/bin /usr/local/bin /usr/bin/X11 While infecting, the virus moves a victim's file contents down, and writes itself to the file header. To release control to the host file, the virus "disinfects" it to a temporary file and executes it. The virus does not manifest itself in any way. Its body contains the "copyright" text string: unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], http://shitdown.sf.cz |
7. Linux.Vit.4096 |
This is a nonmemory resident parasitic virus. The virus has the
internal ELF format, replicates under Linux OS and infects Linux executable
files. Linux is a access-protected system; i.e., users and programs may access
only files that they have permission to. The same is true for a virus - it
may infect only the files and directories that are declared as "write-able"
for the current username. If the current username has total access (system
administrator), the virus will infect all the files on a computer. When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers. The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them. While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx). |
8. Linux.Winter |
This is a harmless non-memory resident parasitic Linux virus. It
is extremely small in size for a Linux virus - just 341 bytes (in the known
virus version). When an infected file is run, the virus gains control, searches for ELF files (Linux executable files) in the current directory, then writes itself to the middle of the file to the non-used "Notes section" if there is one and it has enough size. While infecting, the virus overwrites "Notes" data in the section, but the program runs properly after that. The virus contains the text string: LoTek by Wintermute The virus has a routine that sets a host name (computer name) to "Wintermute", but this routine never gains control. |
9. Linux.Zipworm |
It is harmless Linux virus affecting ZIP archives. When the virus is run, it looks for ZIP archives in current directory and add its copies to there. While infecting the virus does not use any external ZIP processing tool, but parses ZIP internal formats by itself. The virus files in archives have one of five possible names: Ten motives why linux sux! Why Windows is superior to Linux! Is Linux for you? Never! Is Linux immune to virus? NO! zipworm! The virus also contains the "copyright" text: elf zip worm vecna |
Antivirus Name
and Description |
Interface |
AMaViS Virus Scanner: A Mail Virus Scanner scans e-mail attachments for viruse. | Console |
AntiVir: This is an anti-virus scanner for Linux. | Console |
Clam Antivirus: Basically made for UNIX. | Console |
Kaspersky Anti-Virus for Linux Workstation: This is a comprehensive anti-virus defense system for Linux workstations. | Console |
McAfee VirusScan Validate: This is one of the most popular virus scanning packages available for any platform | Console |
RAV AntiVirus Desktop for Linux: Powerful and wisely designed to protect your data from a Linux environment. | X11 |
SAVget: SAVget is a bash script that aims to be a clone of the Windows SGET utility. | Console |
TkAntivir: This is a graphical front end to the antivirus program H+BEDV AntiVir/X written in Tcl/Tk. | X11 |
Vexira Antivirus For Linux Server: This is a complete antivirus system designed specifically for Linux servers. | Console |
Vexira Antivirus for Linux Workstation: This program provides antivirus protection for Linux workstations. | Console |
Vexira MailArmor - Linux antivirus for mail servers: This is a high-speed Linux antivirus program for mail servers. | Console |
[Prev in Thread] | Current Thread | [Next in Thread] |