which type of virus is this if you can give me some brief description. On 4/15/09, Vishal Garg <vishalgar...@gmail.com> wrote: > On Mon, Apr 13, 2009 at 11:54 AM, navneet sharma < > navneetlinuxexp...@gmail.com> wrote: > >> *A Word on Computer Viruses >> *Viruses are, by definition, malicious pieces of code that replicate >> themselves. They can do this through a variety of methods, including >> infecting other executable files or disseminating macros and other forms >> of >> executable content.Viruses are most commonly spread by users sharing >> files, >> particularly through email, and also other means. Viruses are well known >> to >> have been causing problems to the Windows users. >> But the question remains, Are there any Linux virus? And if yes, should I >> worry??? The answer is yes to the first question and no to the second one. >> Let me tell you my experience. On my dual boot home PC I primarily work on >> Linux partition but ocassionally have to boot into the Windowspartition >> (usually to do such works like checking a MS Word document's formatting, a >> document that was originally made using Linux/OpenOffice.org Writer and >> saved as a MS Wordfile; this is another issue where a user is forced to >> use >> such proprietary software, because a particular agency needs a document in >> a >> proprietary format however). >> >> Coming back to the original issue, I almost always find some new virus >> that >> has infected the Windows partition. These viruses either creap in through >> the e-mail or shared folders over the network and mainly through pen drive >> now a days. >> But I have never had a single incidence of a Linux virus attack in my >> Linux >> box. Though, the fact remains, that viruses for Linux do exist but you can >> count them on your finger tips. This article tries to enlist and explain >> these known Linux viruses and some of the antivirus software available. * >> >> Known Linux Viruses?* >> >> - Linux.Bliss >> - Linux.Diesel >> - Linux.Gildo >> - Linux.Kagob >> - Linux.Nuxbee >> - Linux.Satyr >> - Linux.Vit.4096 >> - Linux.Winter >> - Linux.Zipworm >> >> * >> 1. Linux.Bliss* These are nonmemory resident parasitic viruses written in >> GNU C. They infect Linux OS only - infected files may be executed, and the >> virus may spread itself only under Linux. The viruses search for >> executable >> Linux files (ELF internal format) and infect them. While infecting, the >> viruses shift the file body down, write themselves to the beginning of the >> file and append to the end of file the ID-text: >> >> "Bliss.a": infected by bliss: 00010002:000045e4 >> >> "Bliss.b": infected by bliss: 00010004:000048ac >> >> It seems that the former hex number in these lines is a virus version, and >> the latter is the virus length - the virus lengths are 17892 and 18604 >> bytes. >> >> When an infected file is run, the "Bliss.a" virus searches for not more >> than >> three non-infected files and infects them. "Bliss.b" infects more files >> (It >> is not known how much). If there are not any infected files in the current >> directory, the virus scans the system and infects the files in other >> directories. After infecting, the viruses return control to the host >> program, and it will work correctly. >> >> Linux is an access-protected system; i.e., users and programs may access >> only files that they have permission to. The same goes for a virus - it >> may >> infect only the files and directories that are declared as "write-able" >> for >> the current username. If the current username has total access (system >> administrator), the virus will infect all the files on the computer. >> *2. Linux.Diesel* >> This is a relatively harmless, non-memory resident parasitic virus. It >> searches for Linux executable files in system directories and >> subdirectories, then writes itself to the middle of the file. Before >> searching files, the virus reads its code from the host file. It moves the >> original bytes to the end oNow you may ask "Why we don't have viruses to >> the >> same proportion under Linux as we have for other proprietary OSes?" The >> answer to this can be found he <http://librenix.com/?inode=21>f the file >> and >> increases the size of the previous section. After finishing its work, the >> virus restores the host and transfers control to it. The virus contains >> the >> text string: >> / home root sbin bin opt >> [ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ] >> >> *3. Linux.Gildo* >> It is not a dangerous, memory resident parasitic virus. It was written in >> the assembler language. It uses system calls (syscall) while working with >> files. The virus infects ELF files. It writes itself to the middle of the >> file. >> >> After starts the virus divides a main process and continues its work. The >> resident part scans the directories from the root. The virus checks the >> access right for each found file. If file has a write access the virus >> will >> infect it. While infecting file the virus increases its code section size >> on >> 4096 bytes and writes its code to the free space. After that the virus >> changes parameters for the ELF file upper sections and setups a new Entry >> point for it. The virus displays the message on each start: >> >> Gildo virus >> email gi...@jazz.hm (for comments) >> >> The virus contains the text strings: >> >> hello, nice boys, I hope you will enjoy this program written with nasm. I >> want to say thanks to all my programmers friend.Bye from Gildo. The >> Netwide >> Assembler 0.98 .symtab .strtab .shstrtab .text .data .sbss .bss .comment >> >> It also contains the debug strings from the compiler: >> >> virus.asm parent parent_process ahah scan_dir c_stat others_permissions >> user_permissions group_permissions c_permissions is_regular_file >> c1_is_regular_file c2_is_regular_file is_directory c1_is_directory >> l_readdir >> skip_l_readdir e_l_readdir error_stat error_opening_file e_scan_dir >> infect_file open no_open_error file_length mmap c_mmap is_suitable >> error_suitable c1_is_suitable read_ehdr c_ehdr is_suitable_space >> patch_ehdr >> patch_e_entry patch_e_sh_offset patch_phdrs l_read_ph dont_patch_phtext >> dont_patch_ph patch_shdrs l_read_sh dont_patch_shtext dont_patch_sh >> find_current_entry_point write suit_error munmap mmap_error close >> open_error >> __exit __bss_start main _edata _end >> *4. Linux.Kagob* It is a harmless nonmemory resident parasitic Linux >> virus. >> The virus itself is Linux executable module (ELF file). It searches for >> other ELF files in the system, then infects them. >> >> While infecting the virus moved victim file contents down, and writes >> itself >> to file header. To release control to the host file the virus "disinfects" >> it to a temporary file and executes it. >> >> The virus does not manifest itself in any way. It body contains the >> "copyright" text string: >> >> Linux.Kaiowas by Gobleen Warrior//SMF >> *5. Linux.Nuxbee* >> This is a relatively harmless, non-memory resident parasitic Linux virus. >> It searches for ELF files in the directory bin, then writes itself to the >> middle of the file. The virus infects files if the current user has >> administrator rights. It writes itself to the Entry point offset, encrypts >> and saves original bytes at the end of a file. >> >> To restore an original file, the virus reads and encrypts the original >> bytes >> from the host file. It uses file mapping functions to infect files. All >> system functions are summoned by INT 80h (Sys call). The virus contains >> the >> following text string: >> >> NuxBee by Bumblebee - The NeXt Frontier >> *6. Linux.Satyr* This is a harmless non-memory resident parasitic Linux >> virus. The virus is a Linux executable module (ELF file). It searches for >> other ELF files in the system, and then infects them. The virus infects >> files in the following directories: >> >> current directory >> parent directory >> ~/ (user root directory) >> ~/bin (user /bin directory) >> ~/sbin (user /sbin directory) >> /bin >> /sbin >> /usr/bin >> /usr/local/bin >> /usr/bin/X11 >> While infecting, the virus moves a victim's file contents down, and writes >> itself to the file header. To release control to the host file, the virus >> "disinfects" it to a temporary file and executes it. >> >> The virus does not manifest itself in any way. Its body contains the >> "copyright" text string: >> >> unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], >> http://shitdown.sf.cz >> *7. Linux.Vit.4096* This is a nonmemory resident parasitic virus. The >> virus >> has the internal ELF format, replicates under Linux OS and infects Linux >> executable files. Linux is a access-protected system; i.e., users and >> programs may access only files that they have permission to. The same is >> true for a virus - it may infect only the files and directories that are >> declared as "write-able" for the current username. If the current username >> has total access (system administrator), the virus will infect all the >> files >> on a computer. >> >> When an infected file is executed, the virus takes control, searches for >> executable ELF files in the current directory and infects them into the >> middle. While infecting, the virus analyzes the internal file formats (ELF >> headers), locates the first code section, makes a "cave" by shifting this >> and the following sections down by 4096 bytes, writes its code to this >> "cave," modifies the file entry address and corrects necessary fields in >> the >> ELF headers. >> >> The virus looks for duplicate infection and prevents it, and, in addition, >> the virus infects files quite accurately: in tests, not all infected files >> were corrupted, and the virus was able to replicate itself from them. >> >> While infecting, the virus uses the temporary VI324.TMP file. This file >> name >> was the reason behind the selecting of the virus name(VIxxx.Txx). >> *8. Linux.Winter* This is a harmless non-memory resident parasitic Linux >> virus. It is extremely small in size for a Linux virus - just 341 bytes >> (in >> the known virus version). >> >> When an infected file is run, the virus gains control, searches for ELF >> files (Linux executable files) in the current directory, then writes >> itself >> to the middle of the file to the non-used "Notes section" if there is one >> and it has enough size. While infecting, the virus overwrites "Notes" data >> in the section, but the program runs properly after that. >> >> The virus contains the text string: >> LoTek by Wintermute >> >> The virus has a routine that sets a host name (computer name) to >> "Wintermute", but this routine never gains control. >> >> *9. Linux.Zipworm* It is harmless Linux virus affecting ZIP archives. >> >> When the virus is run, it looks for ZIP archives in current directory and >> add its copies to there. While infecting the virus does not use any >> external >> ZIP processing tool, but parses ZIP internal formats by itself. The virus >> files in archives have one of five possible names: >> >> Ten motives why linux sux! >> Why Windows is superior to Linux! >> Is Linux for you? Never! >> Is Linux immune to virus? NO! >> zipworm! >> >> The virus also contains the "copyright" text: >> >> elf zip worm vecna >> >> *Available Antiviruses Against Linux Viruses?* >> >> My personal experience says that you will never need an antivirus as the >> incedence of virus attacks hardly exists in a Linux world. But just to be >> on >> a safer side for the unseen to happen some day, latest version one of the >> antivirus should be kept handy at all times. The following is a list of >> some >> of the better known antivirus software for the Linux platform. >> >> *Antivirus Name and Description >> * *Interface >> * *AMaViS Virus Scanner:* A Mail Virus Scanner scans e-mail attachments >> for >> viruse. Console *AntiVir*: This is an anti-virus scanner for Linux. >> Console >> *Clam Antivirus*: Basically made for UNIX. Console *Kaspersky Anti-Virus >> for Linux Workstation*: This is a comprehensive anti-virus defense system >> for Linux workstations. Console *McAfee VirusScan Validate*: This is one >> of >> the most popular virus scanning packages available for any platform >> Console >> *RAV AntiVirus Desktop for Linux*: Powerful and wisely designed to protect >> your data from a Linux environment. X11 *SAVget*: SAVget is a bash script >> that aims to be a clone of the Windows SGET utility. Console *TkAntivir*: >> This is a graphical front end to the antivirus program H+BEDV AntiVir/X >> written in Tcl/Tk. X11 *Vexira Antivirus For Linux Server*: This is a >> complete antivirus system designed specifically for Linux servers. Console >> *Vexira Antivirus for Linux Workstation*: This program provides antivirus >> protection for Linux workstations. Console *Vexira MailArmor - Linux >> antivirus for mail servers*: This is a high-speed Linux antivirus program >> for mail servers. Console >> Many of these are under GPL, some under subscription scheme and few >> commercial ones. >> >> *Use Linux Feel Free & Open.* >> >> Regards >> navneet sharma >> _______________________________________________ >> ilugd mailinglist -- ilugd@lists.linux-delhi.org >> http://frodo.hserus.net/mailman/listinfo/ilugd >> Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi >> http://www.mail-archive.com/ilugd@lists.linux-delhi.org/ >> > > That was really informative.. > thanks man! > > -- > VISHAL GARG > Linux User #487206 > vishalgar...@gmail.com > "Learning is not compulsory... neither is survival" > _______________________________________________ > ilugd mailinglist -- ilugd@lists.linux-delhi.org > http://frodo.hserus.net/mailman/listinfo/ilugd > Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi > http://www.mail-archive.com/ilugd@lists.linux-delhi.org/ >
_______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/