Info dari http://www.plasa.com
>
> Linux.Bliss
> These are nonmemory resident parasitic viruses written in GNU C. They
infect
> Linux OS only - infected files may be executed, and the virus may spread
> itself only under Linux. The viruses search for executable Linux files
(ELF
> internal format) and infect them. While infecting the viruses shift the
file
> body down, write themselves to the beginning of file and append to the end
> of file the ID-text:
> "Bliss.a": infected by bliss: 00010002:000045e4
> "Bliss.b": infected by bliss: 00010004:000048ac
>
> It seems that the former hex number in these lines is a virus version, and
> the latter is the virus length - the virus lengths are 17892 and 18604
> bytes.
>
> When an infected file is run, the "Bliss.a" virus searches for not more
than
> three not infected files and affects them. "Bliss.b" infects more files (I
> see not how much). If there are no not infected files in the current
> directory, the virus scans the system and infects the files in other
> directories. After infecting the viruses return control to the host
program,
> and it will work correctly.
>
> Linux is the access-protected system, i.e. users and programs may access
> only files that they have permission to. The same for virus - it may
infect
> only the files and directories that are declared as "write-able" for
current
> username. If current username has total access (system administrator), the
> virus will infect all files on computer.
>
> The viruses seem to be "under debugging" and while searching for files and
> infecting them they display several messages:
>
> already infected
> skipping, infected with same vers or different type
> replacing older version
> replacing ourselves with newer version
> infecting: bytes
> infect() returning success
> been to already!
> traversing
> our size is
> copy() returning success
> copy() returning failure
> disinfecting:
> not infected
> couldn't malloc bytes, skipping
> couldn't read() all bytes
> read bytes
> happy_commit() failed, skipping
> couldn't write() all bytes, hope you had backups!
> successfully (i hope) disinfected
> Debugging is ON
> Disinfecting files...
> using infection log:
>
> The viruses also contain the text strings:
>
> dedicated to rkd
> /tmp/.bliss
> asmlinkage int sys_umask(int mask)
> mask&023000 return if(mask&023000) current->uid = current->euid =
> current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l
> rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s' doing popen("%s" /.rhosts r
%s
> %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv
> hosts.equiv: %s HOME --bliss- uninfect-files-please disinfect-files-please
> version %d.%d.%d (%.8x)
> Compiled on Sep 28 1996 at 22:24:03
> Written by electric eel.
> dont-run-original
> just-run-bliss
> dont-run-virus
> dont-run-bliss
> just-run-original
> exec
> infect-file unsupported version
> help help? hah! read the source!
> /proc/loadavg %d.
> loadav is %d
> bliss was run %d sex ago, rep_wait=%d
> /tmp/.bliss-tmp.%d execv /bin
> PATH : /usr/spool/news /var/spool/news wow
--------------------------------------------------------------------------
Utk berhenti langganan, kirim email ke [EMAIL PROTECTED]
Informasi arsip di http://www.linux.or.id/milis.php3
Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
