Home page logo
/

bugtraq logo Bugtraq mailing list archives

[linux-security] Linux virus
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 4 Feb 1997 12:02:42 -0600


ugh:)

Today I became infected with the bliss virus, any info on this would be
appreciated!  How do I scan for files infected and is it possible to
remove it?  I first noticed the infection when running a program (not as
root) messages flashed on the screen about transversing directories and
such.  The program (gimp) had been working fine since I downloaded the
binary for gimp from their main site.  The gimp people told me they have
not been receiving complaints their binaries are infected, so something
else must be the source.

Here are a few lines from the infected file:

infected by bliss %.8x: %.8x
^ () a^@%d %.8x %s/%s
^ () %s bliss-tmp %d^@%s already infected (%.8x)
^ () skipping, infected with same vers or different type
^ () replacing older version
^ () replacing ourselves with newer version
^@/^ () dir: %s, file: %s, new size: %d
^ () infecting: %s, %d bytes
^ () infect() returning success
^ () been to %s already!
^ ()  ^@..^ () traversing %s
^ () our size is %d!
^ () copy() returning success
^ () copy() returning failure
^ () disinfecting: %s
^ () %s: not infected
^ () couldn't malloc %d bytes, skipping %s
^ () couldn't read() all %d bytes
^ () read %d bytes
^ () happy_commit() failed, skipping %s
^ () couldn't write() all %d bytes, hope you had backups!


I am presently using this to scan for it in my home dir:

grep infected /home/peter/**/*(xD/)

Any help would be great!!!

Rgds,

Peter.

[mod: It looks as if lots of debugging strings are still in the binary.
Odd that this "debugging version" would be in the wild.
Peter, can you verify that it indeed is a virus? Unless it knows of
ways to become root, you should be safe if you add a new user-account,
place an infected binary and a few uninfected binaries in that users
account. Make sure that you have an unmodified version available for
comparison.
On one hand I don't like to approve this until Peter has verified this,
but on the other hand if there is really a linux-virus on the loose, you
all would like to hear about it ASAP right? -- REW]



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]