Bugtraq mailing list archives
[linux-security] Linux virus
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 4 Feb 1997 12:02:42 -0600
ugh:) Today I became infected with the bliss virus, any info on this would be appreciated! How do I scan for files infected and is it possible to remove it? I first noticed the infection when running a program (not as root) messages flashed on the screen about transversing directories and such. The program (gimp) had been working fine since I downloaded the binary for gimp from their main site. The gimp people told me they have not been receiving complaints their binaries are infected, so something else must be the source. Here are a few lines from the infected file: infected by bliss %.8x: %.8x ^@a^@%d %.8x %s/%s ^@%s.bliss-tmp.%d^@%s already infected (%.8x) ^@skipping, infected with same vers or different type ^@replacing older version ^@replacing ourselves with newer version ^@/^@dir: %s, file: %s, new size: %d ^@infecting: %s, %d bytes ^@infect() returning success ^@been to %s already! ^@.^@..^@traversing %s ^@our size is %d! ^@copy() returning success ^@copy() returning failure ^@disinfecting: %s ^@%s: not infected ^@couldn't malloc %d bytes, skipping %s ^@couldn't read() all %d bytes ^@read %d bytes ^@happy_commit() failed, skipping %s ^@couldn't write() all %d bytes, hope you had backups! I am presently using this to scan for it in my home dir: grep infected /home/peter/**/*(xD/) Any help would be great!!! Rgds, Peter. [mod: It looks as if lots of debugging strings are still in the binary. Odd that this "debugging version" would be in the wild. Peter, can you verify that it indeed is a virus? Unless it knows of ways to become root, you should be safe if you add a new user-account, place an infected binary and a few uninfected binaries in that users account. Make sure that you have an unmodified version available for comparison. On one hand I don't like to approve this until Peter has verified this, but on the other hand if there is really a linux-virus on the loose, you all would like to hear about it ASAP right? -- REW]
Current thread:
- [linux-security] Linux virus Aleph One (Feb 04)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)
- Re: [linux-security] Re: Linux virus Alan Cox (Feb 05)
- Re: [linux-security] Re: Linux virus Leejay Wu (Feb 05)
- bliss version 0.4.0 nobody () INTERNIC NET (Feb 05)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
(Thread continues...)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)