Details
Linux.Kagob.a

It is a harmless nonmemory resident parasitic Linux virus. The virus itself is Linux executable module (ELF file). It searches for other ELF files in the system, then infects them.
While infecting the virus moved victim file contents down, and writes itself to file header. To release control to the host file the virus “disinfects” it to a temporary file and executes it.
The virus does not manifest itself in any way. It body contains the “copyright” text string:
Linux.Kaiowas by Gobleen Warrior//SMF

Details
Linux.Gildo

It is not a dangerous, memory resident parasitic virus. It was written in the assembler language. It uses system calls (syscall) while working with files. The virus infects ELF files. It writes itself to the middle of the file.
After starts the virus divides a main process and continues its work. The resident part scans the directories from the root. The virus checks the access right for each found file. If file has a write access the virus will infect it. While infecting file the virus increases its code section size on 4096 bytes and writes its code to the free space. After that the virus changes parameters for the ELF file upper sections and setups a new Entry point for it. The virus displays the message on each start:
Gildo virus
email Gildo@jazz.hm (for comments)
The virus contains the text strings:
hello, nice boys, I hope you will enjoy this program written with nasm. I want to say thanks to all my programmers friend.Bye from Gildo. The Netwide Assembler 0.98 .symtab .strtab .shstrtab .text .data .sbss .bss .comment
It also contains the debug strings from the compiler:
virus.asm parent parent_process ahah scan_dir c_stat others_permissions user_permissions group_permissions c_permissions is_regular_file c1_is_regular_file c2_is_regular_file is_directory c1_is_directory l_readdir skip_l_readdir e_l_readdir error_stat error_opening_file e_scan_dir infect_file open no_open_error file_length mmap c_mmap is_suitable error_suitable c1_is_suitable read_ehdr c_ehdr is_suitable_space patch_ehdr patch_e_entry patch_e_sh_offset patch_phdrs l_read_ph dont_patch_phtext dont_patch_ph patch_shdrs l_read_sh dont_patch_shtext dont_patch_sh find_current_entry_point write suit_error munmap mmap_error close open_error __exit __bss_start main _edata _end

Details
Linux.Diesel

This is a relatively harmless, non-memory resident parasitic virus. It searches for Linux executable files in system directories and subdirectories, then writes itself to the middle of the file. Before searching files, the virus reads its code from the host file. It moves the original bytes to the end of the file and increases the size of the previous section.
File before infecting File after infecting:

————— —————
? Header ? ? Header ?
+————-+ +————-+
? ? ? ?
? ? ? ?
? ? ? ?
+————-+<- Entry point +————-+<- Entry point
?Program code ? ? Virus code ?
+————-+ +————-+
? ? ? ?
? ? ? ?
L————– +————-+
?Program code ?
L————–

After finishing its work, the virus restores the host and transfers control to it. The virus contains the text string:
/ home root sbin bin opt
[ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ]

Details
Linux.Bliss.b

This is nonmemory resident parasitic virus written in GNU C. It infects Linux OS only – infected files may be executed, and the virus may spread itself only under Linux. The virus searches for executable Linux files (ELF internal format) and infect them. While infecting, the virus shifts the file body down, write itself to the beginning of the file and append to the end of file the ID-text:
infected by bliss: 00010004:000048ac
It seems that the former hex number in these lines is a virus version, and the latter is the virus length – the virus lengths are 17892 and 18604 bytes.
When an infected file is run, the virus searches for non-infected files and infects them. If there are not any infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting, the viruses return control to the host program, and it will work correctly.
Linux is an access-protected system; i.e., users and programs may access only files that they have permission to. The same goes for a virus – it may infect only the files and directories that are declared as “write-able” for the current username. If the current username has total access (system administrator), the virus will infect all the files on the computer.
The virus seems to be “under debugging,” and while searching for files and infecting them, the virus displays several messages:
already infected
skipping, infected with same virus or a different type
replacing an older version
replacing ourselves with a newer version
infecting: bytes
infect() returning success
been to already!
traversing
our size is
copy() returning success
copy() returning failure
disinfecting:
not infected
couldn’t malloc bytes, skipping
couldn’t read() all bytes
read bytes
happy_commit() failed, skipping
couldn’t write() all bytes, hope you had backups!
successfully (i hope) disinfected
Debugging is ON
Disinfecting filesall
using infection log:
The virus also contains the text strings:
dedicated to rkd
/tmp/.bliss
asmlinkage int sys_umask(int mask)
mask&023000 return if(mask&023000) {{current->uid = current->euid =
current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l
rsh%s%s %s ‘cat>%s;chmod 777 %s;%s;rm -f %s’ doing popen(“%s” /.rhosts r
%s %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv
hosts.equiv: %s HOME –bliss- uninfect-files-please disinfect-files-please
version %d.%d.%d (%.8x)
Compiled on Sep 28 1996 at 22:24:03
Written by electric eel.
dont-run-original
just-run-bliss
dont-run-virus
dont-run-bliss
just-run-original
exec
infect-file unsupported version
help help? hah! read the source!
/proc/loadavg %d.
loadav is %d
bliss was run %d sex ago, rep_wait=%d
/tmp/.bliss-tmp.%d execv /bin
PATH : /usr/spool/news /var/spool/news wow

Details
Linux.Bliss.a

This is nonmemory resident parasitic virus written in GNU C. It infects Linux OS only – infected files may be executed, and the virus may spread itself only under Linux. The virus searches for executable Linux files (ELF internal format) and infect them. While infecting, the virus shifts the file body down, write itself to the beginning of the file and append to the end of file the ID-text:
infected by bliss: 00010002:000045e4
It seems that the former hex number in these lines is a virus version, and the latter is the virus length – the virus lengths are 17892 and 18604 bytes.
When an infected file is run, the virus searches for not more than three non-infected files and infects them. If there are not any infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting, the viruses return control to the host program, and it will work correctly.
Linux is an access-protected system; i.e., users and programs may access only files that they have permission to. The same goes for a virus – it may infect only the files and directories that are declared as “write-able” for the current username. If the current username has total access (system administrator), the virus will infect all the files on the computer.
The virus seems to be “under debugging,” and while searching for files and infecting them, the virus displays several messages:
already infected
skipping, infected with same virus or a different type
replacing an older version
replacing ourselves with a newer version
infecting: bytes
infect() returning success
been to already!
traversing
our size is
copy() returning success
copy() returning failure
disinfecting:
not infected
couldn’t malloc bytes, skipping
couldn’t read() all bytes
read bytes
happy_commit() failed, skipping
couldn’t write() all bytes, hope you had backups!
successfully (i hope) disinfected
Debugging is ON
Disinfecting filesall
using infection log:
The virus also contains the text strings:
dedicated to rkd
/tmp/.bliss
asmlinkage int sys_umask(int mask)
mask&023000 return if(mask&023000) {{current->uid = current->euid =
current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l
rsh%s%s %s ‘cat>%s;chmod 777 %s;%s;rm -f %s’ doing popen(“%s” /.rhosts r
%s %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv
hosts.equiv: %s HOME –bliss- uninfect-files-please disinfect-files-please
version %d.%d.%d (%.8x)
Compiled on Sep 28 1996 at 22:24:03
Written by electric eel.
dont-run-original
just-run-bliss
dont-run-virus
dont-run-bliss
just-run-original
exec
infect-file unsupported version
help help? hah! read the source!
/proc/loadavg %d.
loadav is %d
bliss was run %d sex ago, rep_wait=%d
/tmp/.bliss-tmp.%d execv /bin
PATH : /usr/spool/news /var/spool/news wow

Details
Line.908

It is not a dangerous memory resident parasitic virus. It hooks INT 9 (keyboard), 21h and writes itself to the end of COM files (except COMMAND.COM) that are executed. Depending on its internal counter (after 3000+ characters that entered from keyboard) it resets INT 9, hooks INT 1Ch and manifests itself with a blinking (on fast PCs) or moving (on old PCs) screen line.

Details
Linda.517

It is a very dangerous memory resident parasitic virus. It hooks INT 9, 21h and overwrites COM and EXE files that are executed or closed. It displays the message:
FUCKING TO L.I.N.D.A.

Details
Linc Family

These are harmless memory resident parasitic viruses. “Linc.228,318″ are encrypted viruses.
They use different ways to install itself into the system memory. “Linc.196,228″ copy themselves to the Interrupt Vectors Table, “Linc.307″ allocates the memory by using DOS functions and patches the MCB fields, “Linc.318″ stays memory resident by using Keep call (INT 27h).
Then they hook INT 21h and infect COM files that are executed. “Linc.196,228,307″ write themselves to the end, and “Linc.318″ writes itself to the beginning of the file.
The viruses contain the text strings:
“Linc.196″: Winter
“Linc.228″: Autumn
“Linc.307″: ‘The Waxwork Crew’ proudly release their first virus ‘aardvark’
“Linc.318″: [Sleeping]

Details
Lilo.1573

This is a relatively harmless memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. On the 13th of any month, the virus, depending on the system time, displays messages (see below), and either returns to DOS or reboots the computer.
The virus also contains the following texts:
LI_LO.1573 virus v.0 (test) by P&C
COMMAND.COM.EXE

The messages are:
Divide error
Program too big to fit in memory
+——————————————————————+
| If you want to be more SEXY, you must drink a lot of Pepsi ! |
| |
| XXXX XXXX |
| XXXX XXXX –+– +– |
| XXXX XXXX | +–+ +- |
| XXXX XXXX | | | +– |
| XXXXXXX XXXX | |
| XXXXXXX XXXX |
| +–+ +– +– -+– |
| Greetings to +–+ +- +-+ | |
| Marek Sell +–+ +– –+ | |
| and |
| everybody, who can XXXX XXXXX |
| read this text XXXX XXXX XXXX |
| XXXX XXXX XXXX |
| from PiCSof XXXXXXXX XXXX XXXX |
| XXXXXXXX XX XXXXX XX |
| |
| |
+————————————————-COPYRIGHT 1996—+

Details
Lilith

It is not a dangerous memory resident polymorphic and stealth boot virus. To hook INT 13h the virus scans the BIOS code for INT 18h call (CDh 18h), sets INT 13h to that address and hooks INT 18h. Then the virus writes itself to boot sector of the floppy disks and the MBR of the hard drive. Depending on the system timer the virus also hooks INT 5 (Print Screen) and when PrintScreen key is pressed, the virus displays:
L · I · L · I · T · H
Tu del creato prima Donna
del Sesso Maestra infernale
accogli le Nostre dannate Carni
nel Tuo satanico Ventre

The virus also contains the text string:
Milan Italy 95

Details
LightNing.4251

It is a very dangerous memory resident parasitic polymorphic virus. It hooks INT 13h, 21h and writes itself to the end of COM and EXE files that are executed, opened, renamed or when file’s attributes are accessed. The virus does not infect anti-viruses AIDSTEST, DRWEB, -V (former AVP), ADINF, SCAN and ANTI*.
When .PAS files are opened (Pascal source files), the virus searches for “BEGIN” string within a .PAS file and inserts a line of source code that either reboots the computer, or halts it:
inline($b9/$02/$00/$e2/$fb);
inline($ea/$f0/$ff/$00/$f0);

By hooking INT 13h the virus encrypts the sectors that contain text data. The virus contains the text strings:
“LightNing” (c) 12.95 by ML, Krasnodar
MetaMorphic Generator (MMG) v1.0
AIDRWE-VADSCAN

Details
LightGeneral.1054

These are harmless nonmemory resident parasitic viruses. They search for COM and EXE files, then write themselves to the end of the file. The viruses do not infect file if its name contains the letters: DR, AI, MS or CO. The viruses contain the text strings:
This virus was made for Computer Virus Club `Stealth`
Our address : Kiev 148 – box 10
(c) Light General.Kiev.1995.For free use!

Details
Light.1010

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed or are found by DOS FindFirst/Next DOS functions. The virus has bugs and in some cases corrupts files while infecting them or/and halts the system. The virus contains the text strings:
A long time ago,in very remute institut all
LIGHT in the DARK

Details
Lifeform.2101

It is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are closed (i.e. the virus infects files that are copied, modified or scanned). On debugging or opening an infected file the virus disinfects it (stealth). On accessing infected files length the virus decreases it; when the F-PROT anti-virus or the ARJ, RAR, PKZIP, LHA, BACKUP utilities are run, the virus disables this stealth routine.
The virus also fools the AVPLITE and F-PROT anti-virus programs. When AVPLITE is run, the virus adds the “disable heuristic scanning” to the end of command line. When F-PROT reads data from files to scan them for viruses, the virus fills data buffer with garbage. The virus also deletes the anti-virus data files: ANTI-VIR.DAT, CHKLIST.MS, SMARTCHK.CPS, AVP.CRC, IVB.NTZ, CHKLIST.TAV. Under debugger the virus corrupts the CMOS checksum field and halts the computer. On May 23th the virus erases the data on the hard drive, corrupts the CMOS and displays the message:
– [LifeForm] coded by ThE_WiZArD (1998) –
Cooler than a body on ice, Hotter than a rollin`dice
Wilder than a drunken fight all You`re gonna burn tonight

The virus also contains the text strings:
#ThE_WiZArD
Quo vadis Fridrik? … and you Frans still working on this shit.

Details
Lichen.1024

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. In one month after infecting the virus also hooks INT 8,9 and manifests itself by a video effect.