On Wed, 28 Mar 2001, Diana Cionoiu wrote:
> Motivul pentru care imi place Linuxul , unix-ul in general e ca nu egzista
> virusi, shi ideea de virushi sub linux e o prostie ingrozitoare.
Si mie-mi place, dar n-as fi chiar asa de categoric in afirmatii.
Gandeste-te numai ca vei ramane fara SO-ul preferat cand o sa intalnesti
un asemenea virus :)
Din cate am auzit, au iesit pe piatza (...) chiar ceva virusi sub forma de
module kernel. Cum prinde virusul asta root ca sa se incarce, treaba
lui...Da' io nu vad vreun motiv pentru care n-ar putea exista asa ceva.
Ovidiu #1
Vierme/picatura Chinezesc/a
Name: Linux/Lion
Type: Linux worm.
Date: 27 March 2001
Description:
Linux/Lion is an internet worm written for the Linux operating
system. It is similar to Linux/Ramen (i.e. one of the worm files
is already detected as Linux/Ramen).
It spreads by scanning random class B IP networks for hosts
that are vulnerable to a remote exploit in the Bind name service
daemon. Once it has found a candidate for infection it attacks
the remote machine and, if successful, downloads and installs a
package from coollion.51.net. This package contains a copy of
the worm and also the t0rn rootkit. The rootkit is designed to
hide the presence of the worm by replacing many of the system
binaries with trojaned versions and cleaning the log files. In
particular, the following files may be created or changed:
/usr/sbin/nscd
/bin/in.telnetd
/bin/mjy
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find
The following directories may also be created:
/usr/man/man1/man1/lib/.lib
/usr/src/.puta
/usr/info/.t0rn
/dev/.lib
The worm keeps itself active during reboots by appending some
lines to /etc/rc.d/rc.sysinit disguised with the comment 'Name
Server Cache Daemon..'. It also deletes /etc/hosts.deny and
appends lines to /etc/inetd.conf to leave a root shell on port
1008. Finally, it emails the contents of /etc/passwd,
/etc/shadow and the output from ifconfig -a, to an address in
the china.com domain.
#2
Name: W32/Lindose
Aliases: ELF/Lindose, W32/Winux, W32.PEElf.2132
Type: W32 executable file virus and Linux ELF executable file
virus
Date: 28 March 2001
Description:
W32/Lindose is the first cross-platform virus to infect both
Windows PE executable files and Linux ELF executable files.
When the virus is executed, it searches for PE and ELF files in
the current directory and other directories above the current
one in the directory tree. If a PE file is found, the virus
looks for the .reloc section, and if the section is large
enough, overwrites it with the virus code.
If an ELF executable file is found, the virus appends the
uninfected original host code to the end of the file, so that it
can be restored and run in memory after the virus code stops
running. It also overwrites the original entry point with the
virus code.
The virus body contains the text:
"[Win32/Linux.Winux] multi-platform virus by Benny/29A"
and
"This GNU program is covered by GPL."
---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
unsubscribe from this list.
