[Gloucs] Bad news for Linux

Christian Trapp Christian.Trapp at gmx.net
Thu Apr 20 11:06:57 BST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

It was just a matter of time till somebody would create a virus for Linux :(

Original message from http://www.viruslist.com/en/weblog

- ---------------------------------------------- Start of message
- --------------------------

Crossplatform virus - the latest proof of concept

  Kostya     	  April 07, 2006 | 07:32  GMT 	

comments (8)
We?ve received a new sample: another cross platform virus. This sample
is the latest attempt to create malicious code which will infect both
Linux and Win32 systems. It?s therefore been given a double name:
Virus.Linux.Bi.a/ Virus.Win32.Bi.a

The virus is written in assembler and is relatively simple: it only
infects files in the current directory. However, it is interesting in
that it is capable of infecting the different file formats used by Linux
and Windows - ELF and PE format files respectively.

To infect ELF files, the virus uses INT 80 system calls and injects its
body into the file immediately after the ELF file header and before the
?.text? section. This changes the entry point of the original file.

Infected files are identified with a 2-byte signature, 7DFBh, at 0Bh.

The virus uses the Kernel32.dll function to infect systems running
Win32. It injects its code to the final section, and gains control by
again changing the entry point. Infected PE files contain the same
2-byte signature as ELF files; the signature is placed in the PE
TimeDateStamp header.

Infected files contain the following text strings:

[CAPZLOQ TEKNIQ 1.0] (c) 2006 JPanic:

This is Sepultura signing off...

This is The Soul Manager saying goodbye...

Greetz to: Immortal Riot, #RuxCon!

The infector itself contains the following strings:

[CAPZLOQ TEKNIQ 1.0] VIRUS DROPPER (c) 2006 JPanic

[CAPZLOQ TEKNIQ 1.0] VIRUS SUCCESFULLY EXECUTED!

The virus doesn?t have any practical application - it?s classic Proof of
Concept code, written to show that it is possible to create a cross
platform virus.
However, our experience shows that once proof of concept code is
released, virus writers are usually quick to take the code, and adapt it
for their own use.

Detection for Virus.Linux.Bi.a/ Virus.Win32.Bi.a was added to the
Kaspersky Anti-Virus databases shortly after the sample was received.
- --------------------------------------------------------- End
- ----------------------------------

- --
What is LINUX? Visit http://www.linux.org/lininfo/
This is a signed email, and the signature allows a recipient to check
that I am, indeed, the author.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFER10uDcwkxcFMxHURAkI+AKD44Vlc4sXzh6vW4sxUIU7TrTa3egCfVta5
d7G/VCnb2t+gkUTQ7vO4I68=
=Uojj
-----END PGP SIGNATURE-----



More information about the gloucs mailing list