Gajendra its really very good. thank you for such a nice article. On Wed, Apr 15, 2009 at 8:37 PM, gajendra khanna <[email protected]>wrote:
> Hope you'll like this informative post. > > ---------- Forwarded message ---------- > From: navneet sharma <[email protected]> > Date: Mon, Apr 13, 2009 at 6:24 AM > Subject: [ilugd] virus for linux > To: [email protected] > > > *A Word on Computer Viruses > *Viruses are, by definition, malicious pieces of code that replicate > themselves. They can do this through a variety of methods, including > infecting other executable files or disseminating macros and other forms > of > executable content.Viruses are most commonly spread by users sharing files, > particularly through email, and also other means. Viruses are well known to > have been causing problems to the Windows users. > But the question remains, Are there any Linux virus? And if yes, should I > worry??? The answer is yes to the first question and no to the second one. > Let me tell you my experience. On my dual boot home PC I primarily work on > Linux partition but ocassionally have to boot into the Windowspartition > (usually to do such works like checking a MS Word document's formatting, a > document that was originally made using Linux/OpenOffice.org Writer and > saved as a MS Wordfile; this is another issue where a user is forced to use > such proprietary software, because a particular agency needs a document in > a > proprietary format however). > > Coming back to the original issue, I almost always find some new virus that > has infected the Windows partition. These viruses either creap in through > the e-mail or shared folders over the network and mainly through pen drive > now a days. > But I have never had a single incidence of a Linux virus attack in my Linux > box. Though, the fact remains, that viruses for Linux do exist but you can > count them on your finger tips. This article tries to enlist and explain > these known Linux viruses and some of the antivirus software available. * > > Known Linux Viruses?* > > - Linux.Bliss > - Linux.Diesel > - Linux.Gildo > - Linux.Kagob > - Linux.Nuxbee > - Linux.Satyr > - Linux.Vit.4096 > - Linux.Winter > - Linux.Zipworm > > * > 1. Linux.Bliss* These are nonmemory resident parasitic viruses written in > GNU C. They infect Linux OS only - infected files may be executed, and the > virus may spread itself only under Linux. The viruses search for executable > Linux files (ELF internal format) and infect them. While infecting, the > viruses shift the file body down, write themselves to the beginning of the > file and append to the end of file the ID-text: > > "Bliss.a": infected by bliss: 00010002:000045e4 > > "Bliss.b": infected by bliss: 00010004:000048ac > > It seems that the former hex number in these lines is a virus version, and > the latter is the virus length - the virus lengths are 17892 and 18604 > bytes. > > When an infected file is run, the "Bliss.a" virus searches for not more > than > three non-infected files and infects them. "Bliss.b" infects more files (It > is not known how much). If there are not any infected files in the current > directory, the virus scans the system and infects the files in other > directories. After infecting, the viruses return control to the host > program, and it will work correctly. > > Linux is an access-protected system; i.e., users and programs may access > only files that they have permission to. The same goes for a virus - it may > infect only the files and directories that are declared as "write-able" for > the current username. If the current username has total access (system > administrator), the virus will infect all the files on the computer. > *2. Linux.Diesel* > This is a relatively harmless, non-memory resident parasitic virus. It > searches for Linux executable files in system directories and > subdirectories, then writes itself to the middle of the file. Before > searching files, the virus reads its code from the host file. It moves the > original bytes to the end oNow you may ask "Why we don't have viruses to > the > same proportion under Linux as we have for other proprietary OSes?" The > answer to this can be found he <http://librenix.com/?inode=21>f the file > and > increases the size of the previous section. After finishing its work, the > virus restores the host and transfers control to it. The virus contains the > text string: > / home root sbin bin opt > [ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ] > > *3. Linux.Gildo* > It is not a dangerous, memory resident parasitic virus. It was written in > the assembler language. It uses system calls (syscall) while working with > files. The virus infects ELF files. It writes itself to the middle of the > file. > > After starts the virus divides a main process and continues its work. The > resident part scans the directories from the root. The virus checks the > access right for each found file. If file has a write access the virus will > infect it. While infecting file the virus increases its code section size > on > 4096 bytes and writes its code to the free space. After that the virus > changes parameters for the ELF file upper sections and setups a new Entry > point for it. The virus displays the message on each start: > > Gildo virus > email [email protected] (for comments) > > The virus contains the text strings: > > hello, nice boys, I hope you will enjoy this program written with nasm. I > want to say thanks to all my programmers friend.Bye from Gildo. The Netwide > Assembler 0.98 .symtab .strtab .shstrtab .text .data .sbss .bss .comment > > It also contains the debug strings from the compiler: > > virus.asm parent parent_process ahah scan_dir c_stat others_permissions > user_permissions group_permissions c_permissions is_regular_file > c1_is_regular_file c2_is_regular_file is_directory c1_is_directory > l_readdir > skip_l_readdir e_l_readdir error_stat error_opening_file e_scan_dir > infect_file open no_open_error file_length mmap c_mmap is_suitable > error_suitable c1_is_suitable read_ehdr c_ehdr is_suitable_space patch_ehdr > patch_e_entry patch_e_sh_offset patch_phdrs l_read_ph dont_patch_phtext > dont_patch_ph patch_shdrs l_read_sh dont_patch_shtext dont_patch_sh > find_current_entry_point write suit_error munmap mmap_error close > open_error > __exit __bss_start main _edata _end > *4. Linux.Kagob* It is a harmless nonmemory resident parasitic Linux > virus. > The virus itself is Linux executable module (ELF file). It searches for > other ELF files in the system, then infects them. > > While infecting the virus moved victim file contents down, and writes > itself > to file header. To release control to the host file the virus "disinfects" > it to a temporary file and executes it. > > The virus does not manifest itself in any way. It body contains the > "copyright" text string: > > Linux.Kaiowas by Gobleen Warrior//SMF > *5. Linux.Nuxbee* > This is a relatively harmless, non-memory resident parasitic Linux virus. > It searches for ELF files in the directory bin, then writes itself to the > middle of the file. The virus infects files if the current user has > administrator rights. It writes itself to the Entry point offset, encrypts > and saves original bytes at the end of a file. > > To restore an original file, the virus reads and encrypts the original > bytes > from the host file. It uses file mapping functions to infect files. All > system functions are summoned by INT 80h (Sys call). The virus contains the > following text string: > > NuxBee by Bumblebee - The NeXt Frontier > *6. Linux.Satyr* This is a harmless non-memory resident parasitic Linux > virus. The virus is a Linux executable module (ELF file). It searches for > other ELF files in the system, and then infects them. The virus infects > files in the following directories: > > current directory > parent directory > ~/ (user root directory) > ~/bin (user /bin directory) > ~/sbin (user /sbin directory) > /bin > /sbin > /usr/bin > /usr/local/bin > /usr/bin/X11 > While infecting, the virus moves a victim's file contents down, and writes > itself to the file header. To release control to the host file, the virus > "disinfects" it to a temporary file and executes it. > > The virus does not manifest itself in any way. Its body contains the > "copyright" text string: > > unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], > http://shitdown.sf.cz > *7. Linux.Vit.4096* This is a nonmemory resident parasitic virus. The > virus > has the internal ELF format, replicates under Linux OS and infects Linux > executable files. Linux is a access-protected system; i.e., users and > programs may access only files that they have permission to. The same is > true for a virus - it may infect only the files and directories that are > declared as "write-able" for the current username. If the current username > has total access (system administrator), the virus will infect all the > files > on a computer. > > When an infected file is executed, the virus takes control, searches for > executable ELF files in the current directory and infects them into the > middle. While infecting, the virus analyzes the internal file formats (ELF > headers), locates the first code section, makes a "cave" by shifting this > and the following sections down by 4096 bytes, writes its code to this > "cave," modifies the file entry address and corrects necessary fields in > the > ELF headers. > > The virus looks for duplicate infection and prevents it, and, in addition, > the virus infects files quite accurately: in tests, not all infected files > were corrupted, and the virus was able to replicate itself from them. > > While infecting, the virus uses the temporary VI324.TMP file. This file > name > was the reason behind the selecting of the virus name(VIxxx.Txx). > *8. Linux.Winter* This is a harmless non-memory resident parasitic Linux > virus. It is extremely small in size for a Linux virus - just 341 bytes (in > the known virus version). > > When an infected file is run, the virus gains control, searches for ELF > files (Linux executable files) in the current directory, then writes itself > to the middle of the file to the non-used "Notes section" if there is one > and it has enough size. While infecting, the virus overwrites "Notes" data > in the section, but the program runs properly after that. > > The virus contains the text string: > LoTek by Wintermute > > The virus has a routine that sets a host name (computer name) to > "Wintermute", but this routine never gains control. > > *9. Linux.Zipworm* It is harmless Linux virus affecting ZIP archives. > > When the virus is run, it looks for ZIP archives in current directory and > add its copies to there. While infecting the virus does not use any > external > ZIP processing tool, but parses ZIP internal formats by itself. The virus > files in archives have one of five possible names: > > Ten motives why linux sux! > Why Windows is superior to Linux! > Is Linux for you? Never! > Is Linux immune to virus? NO! > zipworm! > > The virus also contains the "copyright" text: > > elf zip worm vecna > > *Available Antiviruses Against Linux Viruses?* > > My personal experience says that you will never need an antivirus as the > incedence of virus attacks hardly exists in a Linux world. But just to be > on > a safer side for the unseen to happen some day, latest version one of the > antivirus should be kept handy at all times. The following is a list of > some > of the better known antivirus software for the Linux platform. > > *Antivirus Name and Description > * *Interface > * *AMaViS Virus Scanner:* A Mail Virus Scanner scans e-mail attachments > for > viruse. Console *AntiVir*: This is an anti-virus scanner for Linux. > Console > *Clam Antivirus*: Basically made for UNIX. Console *Kaspersky Anti-Virus > for Linux Workstation*: This is a comprehensive anti-virus defense system > for Linux workstations. Console *McAfee VirusScan Validate*: This is one > of > the most popular virus scanning packages available for any platform Console > *RAV AntiVirus Desktop for Linux*: Powerful and wisely designed to protect > your data from a Linux environment. X11 *SAVget*: SAVget is a bash script > that aims to be a clone of the Windows SGET utility. Console *TkAntivir*: > This is a graphical front end to the antivirus program H+BEDV AntiVir/X > written in Tcl/Tk. X11 *Vexira Antivirus For Linux Server*: This is a > complete antivirus system designed specifically for Linux servers. Console > *Vexira Antivirus for Linux Workstation*: This program provides antivirus > protection for Linux workstations. Console *Vexira MailArmor - Linux > antivirus for mail servers*: This is a high-speed Linux antivirus program > for mail servers. Console > Many of these are under GPL, some under subscription scheme and few > commercial ones. > > *Use Linux Feel Free & Open.* > > Regards > navneet sharma > _______________________________________________ > ilugd mailinglist -- [email protected] > http://frodo.hserus.net/mailman/listinfo/ilugd > Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi > http://www.mail-archive.com/[email protected]/ > > > > > -- thanks and regards KESHAVA PRATAP SINGH Entry no. : 2007JCA2227 M Tech in Computer Application Department of Computer Science And Engineering ,Electrical Engineering and Mathematics mob. no.: 9999850439" --~--~---------~--~----~------------~-------~--~----~ l...@iitd community mailing list -- http://groups.google.com/group/iitdlug -~----------~----~----~----~------~----~------~--~---
