Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Possible local DoS in sendmail
From: nobody () REPLAY COM (Anonymous)
Date: Tue, 30 Mar 1999 05:31:34 +0200


LART* Advisory LA-99.01.Tuxissa
Original issue date: Apr. 0a, 1999
Last revised: --

Topic: Attack of the Tuxissa Virus

This advisory is intended primarily for network administrators responsible for
luser configuration and maintenance.

Attack of the Tuxissa Virus
March 29, 1999

What started out as a prank posting to
comp.os.linux.advocacy yesterday has turned into one of the
most significant viruses in computing history.   The
creator of the virus, who goes by the moniker "Anonymous
Longhair", modified the well-known Melissa[1] virus to
download and install Linux on infected machines.

"It's a work of art," one Linux advocate told Humorix after
he looked through the Tuxissa virus source code.  "This
virus goes well beyond the feeble troublemaking of
Melissa."  The advocate enumerated some of the tasks the
virus performs in the background while the user is
blissfully playing Solitaire:

Once the virus is activated, it first works on propogating
itself. It has a built-in email harvesting module that
downloads all the pages referenced in the user's Internet
Explorer bookmarks and scans them for email addresses.
Using Outlook, the virus sends a copy of itself to every
email address it comes across.

After it has successfully reproduced, the virus begins the
tricky process of upgrading the system to Linux.   First,
the virus modifies AUTOEXEC.BAT so that the virus will be
re-activated if the system crashes or is shut down while
the upgrade is in process. Second, the virus downloads a
stripped-down Slackware distribution, using a lengthy list
of mirror sites to prevent the virus from overloading any
one server.

Then the virus configures a UMSDOS filesystem to install
Linux on.  Since this filesystem resides on a FAT
partition, there is no need to re-partition the hard drive,
one of the few actions that the Word macro language
doesn't allow.

Next, the virus uncompresses the downloaded files into the
new Linux filesystem.  The virus then permanently deletes
all copies of the Windows Registry, virtually preventing
the user from booting into Windows without a re-install.
After modifying the boot sector, the virus terminates its
own life by rebooting the system. The computer boots into
the Slackware setup program, which automatically finishes
the installation of Linux.  Finally, the dazed user is
presented with the Linux login prompt and the text,
"Welcome to Linux.  You'll never want to use Windows again.
Type 'root' to begin..."

The whole process take about two hours, assuming the user
has a decent Internet connection.  Since the virus runs
invisibly in the background, the user has no chance to stop
it until it's too late.

The email message that the virus is attached to has the
subject "Important Message About Windows Security".  The
text of the body says, "I want to let you know about some
security problems I've uncovered in Windows 95/98/NT,
Office 95/97, and Outlook. It's critically important that
you protect your system against these attacks.  Visit these
sites for more information..."  The rest of the message
contains 42 links to sites about Linux and free software.

Slashdot is one of those links.  "That could spell
trouble," one Slashdot expert told Humorix.  "Slashdot
could fall victim to the new 'Macro Virus Effect' if this
virus continues to propogate at its present exponential
growth rate.  Red Hat's portal site, another site present
on the virus' links list, seems to be quite sluggish right

Details on how the virus started are a bit sketchy.  The
"Anonymous Longhair" who created it only posted it to
Usenet as an early April Fool's gag, a demonstration of how
easy it would be to mount a "Linux revolution".  Some other
Usenet reader is responsible for actually spreading the
virus into the wild.  One observer speculated, "I imagine
the virus was first sent to the addresses of several
well-known spammers.  The virus probably latched on to the
spammer's email lists and began propagating at a fantastic
rate.  With no boundary to its growth, this thing could
wind up infecting every single Net-connected Wintel box in
the world.  Wouldn't that be a shame!"

Linus Torvalds, who just left for a two week vacation, was
unavailable for comment at press time.  We have a strong
feeling that his vacation will be cut short very soon...

[1] http://linuxtoday.com/stories/4463.html

James S. Baughn

Version: 2.6.2


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]