mailing list archives
Re: Bliss: The Facts (fwd)
From: aleph1 () DFW NET (Aleph One)
Date: Sun, 9 Feb 1997 19:56:38 -0600
Ingo Molnar writes:
----- Forwarded message from Alan Cox -----
From: alan () lxorguk ukuu org uk (Alan Cox)
Subject: Bliss: The Facts
Date: Sat, 8 Feb 1997 01:24:30 +0000 (GMT)
1. Bliss is a real program
2. Its really a trojan rather than a virus, but has a few simple worm
Unfortunately, Alan's 'facts' seem to be based on the faulty comments of
others, and not actually having looked at the program.
It is indeed a virus, and there are two versions of it. The first, which
was posted to usenet some months ago, did not run the original if the
infected binary is not in the current directory. The second searches the
path and properly runs the original.
It is correct that it has a few simple worm-like properties.
It works like this
When it runs it attempts to replace some system binaries with itself
and move the system binaries into /tmp/.bliss. Having done this
it runs /tmp/.bliss/programname
It prepends itself to some binaries (searching the path, and some other
places). It logs infections to the file /tmp/.bliss (filename, time, and
apparantly the virus version). When an infected binary is run, it extracts
the original to /tmp and execs it.
All of this is readily observable after spending just a few minutes playing
with the program.
- Re: Bliss: The Facts (fwd) Aleph One (Feb 10)