Bugtraq mailing list archives
Re: [linux-security] Re: Linux virus
From: fuego+ () CMU EDU (Leejay Wu)
Date: Wed, 5 Feb 1997 11:48:49 -0500
Excerpts from internet.computing.linux-security: 5-Feb-97 [linux-security] Re: Linux .. by Jim Dennis () starshine org
Today I became infected with the bliss virus, any info on this would be appreciated! How do I scan for files infected and is it possible to remove it? I first noticed the infection when running a program (not as root) messages flashed on the screen about transversing directories and such. The program (gimp) had been working fine since I downloaded the binary for gimp from their main site. The gimp people told me they have not been receiving complaints their binaries are infected, so something else must be the source.
Memory plus a Dejanews search reveals seven posts last fall that were crossposted to... alt.comp.virus, comp.os.linux.misc, and comp.security.unix. (dejanews filter: newsgroups: comp.os.linux.* subject: bliss ) -- The original post was a forgery with the subject "oops, I leaked an alpha copy of Bliss", crossposed to comp.os.linux.misc, *alt.comp.virus*, and comp.security.unix ..., posted Sep. 29, 1996, with these headers as archived by dejanews: Subject: oops, I leaked an alpha copy of Bliss (i386-linux-elf binary only) From: nobody () aol com Date: 1996/09/29 Message-Id: <i.forged.this.post.cause () i dont want it to be known who leaked this earl y> X-Mail2news-Path: news.demon.net!agora.rdrop.com!191.87.208.4 X-Nntp-Posting-User: nobody@"[191.87.208.4]" Newsgroups: alt.comp.virus,comp.os.linux.misc,comp.security.unix -- Perhaps somebody has already tried to track that down? Or has a full copy of the original post? That's the first mention of it that I remember, or that Dejanews found in comp.os.linux.* ... -- This provided a UUencoded gzipped file titled 'bliss.gz', that was discussed as having the properties cited recently (searching through the PATH and infecting files). -- In the same set of seven posts, there's an strace, the original of a recently reposted post on removing bliss, and a dump of the strings in the binary. Hope that helps. --Leejay Wu- PGP keyprint: 00 27 9C F3 2B ED 9C 30 86 F7 B2 07 C9 6D 52 0D-- | <fuego+ () cmu edu> ...there is no light but for darkness... conflict brings | | truth... I speak for none but myself... finger for W3 URLs, PGP stuff | --Carpe carp --- Information is power ---- this .sig last revised 960905-----
Current thread:
- [linux-security] Linux virus Aleph One (Feb 04)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)
- Re: [linux-security] Re: Linux virus Alan Cox (Feb 05)
- Re: [linux-security] Re: Linux virus Leejay Wu (Feb 05)
- bliss version 0.4.0 nobody () INTERNIC NET (Feb 05)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
- Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
(Thread continues...)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)