Saya barusan dapet surat dari milis Linux, yang menanyakan kebenaran adanya
virus di Linux. Mungkin rekan2 bisa membantu. (takut ....)
Linux.Bliss
These are nonmemory resident parasitic viruses written in GNU C. They infect Linux OS
only - infected files may be executed, and the virus may spread itself only under
Linux. The viruses search for executable Linux files (ELF internal format) and infect
them. While infecting the viruses shift the file body down, write themselves to the
beginning of file and append to the end of file the ID-text:
"Bliss.a": infected by bliss: 00010002:000045e4
"Bliss.b": infected by bliss: 00010004:000048ac
It seems that the former hex number in these lines is a virus version, and the latter
is the virus length - the virus lengths are 17892 and 18604 bytes.
When an infected file is run, the "Bliss.a" virus searches for not more than three not
infected files and affects them. "Bliss.b" infects more files (I see not how much). If
there are no not infected files in the current directory, the virus scans the system
and infects the files in other directories. After infecting the viruses return control
to the host program, and it will work correctly.
Linux is the access-protected system, i.e. users and programs may access only files
that they have permission to. The same for virus - it may infect only the files and
directories that are declared as "write-able" for current username. If current
username has total access (system administrator), the virus will infect all files on
computer.
The viruses seem to be "under debugging" and while searching for files and infecting
them they display several messages:
already infected
skipping, infected with same vers or different type
replacing older version
replacing ourselves with newer version
infecting: bytes
infect() returning success
been to already!
traversing
our size is
copy() returning success
copy() returning failure
disinfecting:
not infected
couldn't malloc bytes, skipping
couldn't read() all bytes
read bytes
happy_commit() failed, skipping
couldn't write() all bytes, hope you had backups!
successfully (i hope) disinfected
Debugging is ON
Disinfecting files...
using infection log:
The viruses also contain the text strings:
dedicated to rkd
/tmp/.bliss
asmlinkage int sys_umask(int mask)
mask&023000 return if(mask&023000) current->uid = current->euid = current->suid =
current->fsuid = 0; return old&023000} } bliss.%s.%d -l rsh%s%s %s 'cat>%s;chmod 777
%s;%s;rm -f %s' doing popen("%s" /.rhosts r %s %s .rhosts: %s, %s localhost doing
do_worm_stuff() /etc/hosts.equiv hosts.equivv: %s HOME --bliss- uninfect-files-please
disinfect-files-please version %d.%d.%d (%.8x)
CCompiled on Sep 28 1996 at 22:24:03
Written by electric eel.
dont-run-original
just-run-bliss
dont-run-virus
dont-run-bliss
just-run-original
exec
infect-file unsupported version
help help? hah! read the source!
/proc/loadavg %d.
loadav is %d
bliss was run %d sex ago, rep_wait=%d
/tmp/.bliss-tmp.%d execv /bin
PATH : /usr/spool/news /var/spool/news wow
Linux.Vit.4096
This is a nonmemory resident parasitic virus. The virus has the internal ELF format,
replicates under Linux OS and infects Linux executable files. This is the second known
Linux virus, the first is "Linux.Bliss".
Linux is the access-protected system, i.e. users and programs may access only files
that they have permission to. The same for virus - it may infect only the files and
directories that are declared as "write-able" for current username. If current
username has total access (system administrator), the virus will infect all files on
computer.
When an infected file is executed, the virus takes control, searches for executable
ELF files in the current directory and infects them into the middle. While infecting
the viruses parses internal file formats (ELF headers), locates first code section,
makes a "cave" by shifting this and following sections down by 4096 bytes, writes its
code to this "cave", modifies file entry address and corrects necessary fields in ELF
headers.
Clean file:
Infected file:
+---------------+
++---------------+
| ELF Headers |--+ | ELF Headers |--+
| | |
| | | |
+---------------+ | +---------------+<-+
+virus entry
| Section 1 |<-+ entry +-| Virus |
| address
| | address | + - - - -
|- - - +
+---------------+ +>| Section 1
+|
| Section 2 | |
| |
+---------------+
++---------------+
. . .
| Section 2 |
+---------------+
++---------------+
| Section n | . . .
|
+---------------+
++---------------+
| Section n |
+---------------+
The virus cares about duplicate infection and prevents it. The virus infects files
quite accurate: in tests all infected files were not corrupted, and the virus was able
to replicate itself from them.
While infecting the virus uses the temporary VI324.TMP file. The name of this file was
a reason to select the name for the virus (VIxxx.Txx).
--
����
milis ini didukung oleh :
>> http://www.indolinux.com - dunia linux indonesia
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
