A Virus That Leaps Platforms

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,42672,00.html

by Michelle Delio
4:10 p.m. Mar. 27, 2001 PST

A security company has identified what is believed to be the first
virus with cross-platform abilities -- it can infect both Windows and
Linux operating systems.

And the virus writer claims his virus is a General Public License
release, the same license that protects the rights of many GNU/Linux
programmers.

This equal opportunity virus, dubbed W32.Winux, was identified by
security firm Central Command on Tuesday.

The virus is more of an interesting proof of a concept than a real
threat to computer users, said Steven Sundermeier, product manager at
Central Command.

"It is believed to have originated out of the Czech Republic and does
not have a destructive payload," Sundermeier said.

W32.Winux is not affecting many computers, nor is it apt to spread
quickly, as people do not tend to share executable programs between
machines running Linux operating systems and machines running Windows
operating systems.

But Sundermeier noted that W32.Winux does represent an interesting
technological innovation that may lead to more destructive viruses in
the future.

Also called "Linux.Winux," W32.Winux is a non-memory resident virus.
It can replicate under Windows 95/98/Me/NT/2000 (Win32) and Linux
operating systems and it infects EXE (Windows executable) and ELF
files (Linux executable).

The infection method is not sophisticated. The virus overwrites the ".
reloc" section of Windows executable files. If the .reloc section size
is not large enough to hold the virus body, the file is not infected.
It does not destroy data but can impact an infected machine's
performance due to the background activity of the virus.

ELF executables are also infected by overwriting. When an infected ELF
application is executed, the virus code takes control, spreads
further, and then passes control back to the host file.

In a rather twisted mockery of open source spirit, the original virus
code is then stored at the end of the ELF executable.

W32.Winux's coding also contains the following text:
"[Win32/Linux.Winux] multi-platform virus byBenny/29A" and "This GNU
program is covered by GPL."

GPL is the General Public License that many GNU/Linux programs are
released under. The license was designed to encourage the distribution
of software with its source code and to encourage people to change and
modify as they choose the GPL software that they own.

W32.Winux is a sad use of an extraordinary innovation in software
development," said Frank Corinne, a GNU/Linux programmer.

"The idea of some idiot making a virus tagged as a GPL release makes
me sick."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".