Bugtraq mailing list archives

Re: [linux-security] Re: Linux virus

From: fuego+ () CMU EDU (Leejay Wu)
Date: Wed, 5 Feb 1997 11:48:49 -0500


Excerpts from internet.computing.linux-security: 5-Feb-97
[linux-security] Re: Linux .. by Jim Dennis () starshine org

Today I became infected with the bliss virus, any info on this would be
appreciated!  How do I scan for files infected and is it possible to
remove it?  I first noticed the infection when running a program (not as
root) messages flashed on the screen about transversing directories and
such.  The program (gimp) had been working fine since I downloaded the
binary for gimp from their main site.  The gimp people told me they have
not been receiving complaints their binaries are infected, so something
else must be the source.


Memory plus a Dejanews search reveals seven posts last fall that were
crossposted to... alt.comp.virus, comp.os.linux.misc, and comp.security.unix.
(dejanews filter:
    newsgroups:    comp.os.linux.*
    subject:       bliss
)


-- The original post was a forgery with the subject "oops, I leaked an
    alpha copy of Bliss", crossposed to comp.os.linux.misc, *alt.comp.virus*,
    and comp.security.unix ..., posted Sep. 29, 1996, with these headers as
    archived by dejanews:

Subject:      oops, I leaked an alpha copy of Bliss (i386-linux-elf
binary only)
From:         nobody () aol com
Date:         1996/09/29
Message-Id:
<i.forged.this.post.cause () i dont want it to be known who leaked this earl
y>
X-Mail2news-Path: news.demon.net!agora.rdrop.com!191.87.208.4
X-Nntp-Posting-User: nobody@"[191.87.208.4]"
Newsgroups:   alt.comp.virus,comp.os.linux.misc,comp.security.unix


-- Perhaps somebody has already tried to track that down?  Or has a full copy
   of the original post?  That's the first mention of it that I remember, or
   that Dejanews found in comp.os.linux.* ...

-- This provided a UUencoded gzipped file titled 'bliss.gz', that was
   discussed as having the properties cited recently (searching through the
   PATH and infecting files).

-- In the same set of seven posts, there's an strace, the original of
   a recently reposted post on removing bliss, and a dump of the strings
   in the binary.

Hope that helps.
--Leejay Wu- PGP keyprint: 00 27 9C F3 2B ED 9C 30  86 F7 B2 07 C9 6D 52 0D--
| <fuego+ () cmu edu> ...there is no light but for darkness... conflict brings |
| truth... I speak for none but myself...     finger for W3 URLs, PGP stuff |
--Carpe carp --- Information is power ---- this .sig last revised 960905-----

Current thread:

[linux-security] Linux virus Aleph One (Feb 04)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)
  - Re: [linux-security] Re: Linux virus Alan Cox (Feb 05)
  - Re: [linux-security] Re: Linux virus Leejay Wu (Feb 05)
- bliss version 0.4.0 nobody () INTERNIC NET (Feb 05)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
  - Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)

(Thread continues...)