VIRUS ALERT
BLISS
The first LINUX based viruses
Eugene KASPERSKY, author of AVP ( AntiVIRAL toolkit PRO ) has isolated and studied the 2 first LINUX-based viruses.
February 9, 1997
Eugene KASPERSKY, author of AVP ( AntiVIRAL toolkit PRO ) has isolated and studied the 2 first LINUX-based viruses.
Here are the technical record about them. If corrections/additions must be done, they will be provided on this web-site.
The following material is copyrighted
Linux.Bliss
These are nonmemory resident parasitic viruses written in GNU C.
They infect Linux OS only - infected files may be executed, and the virus may spread itself only under Linux. The viruses search for executable
Linux files (ELF internal format) and infect them. While infecting the viruses shift the file body down, write themselves to the beginning of file and
append to the end of file the ID-text:
"Bliss.a": infected by bliss: 00010002:000045e4
"Bliss.b": infected by bliss: 00010004:000048ac
It seems that the former hex number in these lines is a virus version, and the later is the virus length - the virus lengths are 17892 and 18604 bytes.
When an infected file is run, the "Bliss.a" virus searches for not more than three not infected files and affects them. "Bliss.b" infects more files
(I don't see how much). If there are no not infected files in the current directory, the virus scans the system and infects the files in other directories.
After infecting the viruses return control to the host program, and it will work correctly.
Linux is the access-protected system, i.e. users and programs may access only files that they have permission to. The same for virus - it may
infect only the files and directories that are declared as "write-able" for current username. If current username has total access (system
administrator), the virus will infect all files on computer.
The viruses seem to be "under debugging" and while searching for files and infecting them they display several messages:
already infected
skipping, infected with same vers or different type
replacing older version
replacing ourselves with newer version
infecting: bytes
infect() returning success
been to already!
traversing
our size is
copy() returning success
copy() returning failure
disinfecting:
not infected
couldn't malloc bytes, skipping
couldn't read() all bytes
read bytes
happy_commit() failed, skipping
couldn't write() all bytes, hope you had backups!
successfully (i hope) disinfected
Debugging is ON
Disinfecting files...
using infection log:
The viruses also contain the text strings:
dedicated to rkd
/tmp/.bliss
asmlinkage int sys_umask(int mask)
mask&023000 return if(mask&023000) {current->uid = current->euid =
current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l
rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s' doing popen("%s" /.rhosts r
%s %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv
hosts.equiv: %s HOME --bliss- uninfect-files-please disinfect-files-please
version %d.%d.%d (%.8x)
Compiled on Sep 28 1996 at 22:24:03
Written by electric eel.
dont-run-original
just-run-bliss
dont-run-virus
dont-run-bliss
just-run-original
exec
infect-file unsupported version
help help? hah! read the source!
/proc/loadavg %d.
loadav is %d
bliss was run %d sex ago, rep_wait=%d
/tmp/.bliss-tmp.%d execv /bin
PATH : /usr/spool/news /var/spool/news wow
Copyright Eugene KASPERSKY © 1997 ( eugene@avp.ru )
Contact : Editions Gerard MANNIG ( avpcontact@eeb.fr ) (English/French/Spanish fluently handled )
HOME
Back to the MAIN PAGE
Back to the VIRUS ALERT INDEX PAGE
Read the DISCLAIMER
Site development and administration by PCS
