Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[linux-security] Linux virusAleph One (aleph1DFW.NET)
Tue, 4 Feb 1997 12:02:42 -0600
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Aleph One: "[linux-security] Re: Linux virus"
- Previous message: Thomas Roessler: "Re: Linux rcp bug"
- Next in thread: Jim Dennis: "Re: [linux-security] Linux virus"
ugh :) Today I became infected with the bliss virus, any info on this would be appreciated! How do I scan for files infected and is it possible to remove it? I first noticed the infection when running a program (not as root) messages flashed on the screen about transversing directories and such. The program (gimp) had been working fine since I downloaded the binary for gimp from their main site. The gimp people told me they have not been receiving complaints their binaries are infected, so something else must be the source. Here are a few lines from the infected file: infected by bliss %.8x: %.8x ^a^%d %.8x %s/%s ^%s.bliss-tmp.%d^%s already infected (%.8x) ^skipping, infected with same vers or different type ^replacing older version ^replacing ourselves with newer version ^/^dir: %s, file: %s, new size: %d ^infecting: %s, %d bytes ^infect() returning success ^been to %s already! ^.^..^traversing %s ^our size is %d! ^copy() returning success ^copy() returning failure ^disinfecting: %s ^%s: not infected ^couldn't malloc %d bytes, skipping %s ^couldn't read() all %d bytes ^read %d bytes ^happy_commit() failed, skipping %s ^couldn't write() all %d bytes, hope you had backups! I am presently using this to scan for it in my home dir: grep infected /home/peter/**/*(xD/) Any help would be great!!! Rgds, Peter. [mod: It looks as if lots of debugging strings are still in the binary. Odd that this "debugging version" would be in the wild. Peter, can you verify that it indeed is a virus? Unless it knows of ways to become root, you should be safe if you add a new user-account, place an infected binary and a few uninfected binaries in that users account. Make sure that you have an unmodified version available for comparison. On one hand I don't like to approve this until Peter has verified this, but on the other hand if there is really a linux-virus on the loose, you all would like to hear about it ASAP right? -- REW]