Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Bliss: The Facts (fwd)
From: aleph1 () DFW NET (Aleph One)
Date: Sun, 9 Feb 1997 19:56:38 -0600

Ingo Molnar writes:
----- Forwarded message from Alan Cox -----

From: alan () lxorguk ukuu org uk (Alan Cox)
Subject: Bliss: The Facts
Date:   Sat, 8 Feb 1997 01:24:30 +0000 (GMT)

1.      Bliss is a real program

2.      Its really a trojan rather than a virus, but has a few simple worm
        like properties.

Unfortunately, Alan's 'facts' seem to be based on the faulty comments of
others, and not actually having looked at the program.

It is indeed a virus, and there are two versions of it. The first, which
was posted to usenet some months ago, did not run the original if the
infected binary is not in the current directory. The second searches the
path and properly runs the original.

It is correct that it has a few simple worm-like properties.

It works like this

        When it runs it attempts to replace some system binaries with itself
        and move the system binaries into /tmp/.bliss. Having done this
        it runs /tmp/.bliss/programname

It prepends itself to some binaries (searching the path, and some other
places). It logs infections to the file /tmp/.bliss (filename, time, and
apparantly the virus version). When an infected binary is run, it extracts
the original to /tmp and execs it.

All of this is readily observable after spending just a few minutes playing
with the program.

  By Date           By Thread  

Current thread:
  • Re: Bliss: The Facts (fwd) Aleph One (Feb 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]