Details
Linux.Bliss.b

This is nonmemory resident parasitic virus written in GNU C. It infects Linux OS only – infected files may be executed, and the virus may spread itself only under Linux. The virus searches for executable Linux files (ELF internal format) and infect them. While infecting, the virus shifts the file body down, write itself to the beginning of the file and append to the end of file the ID-text:
infected by bliss: 00010004:000048ac
It seems that the former hex number in these lines is a virus version, and the latter is the virus length – the virus lengths are 17892 and 18604 bytes.
When an infected file is run, the virus searches for non-infected files and infects them. If there are not any infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting, the viruses return control to the host program, and it will work correctly.
Linux is an access-protected system; i.e., users and programs may access only files that they have permission to. The same goes for a virus – it may infect only the files and directories that are declared as “write-able” for the current username. If the current username has total access (system administrator), the virus will infect all the files on the computer.
The virus seems to be “under debugging,” and while searching for files and infecting them, the virus displays several messages:
already infected
skipping, infected with same virus or a different type
replacing an older version
replacing ourselves with a newer version
infecting: bytes
infect() returning success
been to already!
traversing
our size is
copy() returning success
copy() returning failure
disinfecting:
not infected
couldn’t malloc bytes, skipping
couldn’t read() all bytes
read bytes
happy_commit() failed, skipping
couldn’t write() all bytes, hope you had backups!
successfully (i hope) disinfected
Debugging is ON
Disinfecting filesall
using infection log:
The virus also contains the text strings:
dedicated to rkd
/tmp/.bliss
asmlinkage int sys_umask(int mask)
mask&023000 return if(mask&023000) {{current->uid = current->euid =
current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l
rsh%s%s %s ‘cat>%s;chmod 777 %s;%s;rm -f %s’ doing popen(“%s” /.rhosts r
%s %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv
hosts.equiv: %s HOME –bliss- uninfect-files-please disinfect-files-please
version %d.%d.%d (%.8x)
Compiled on Sep 28 1996 at 22:24:03
Written by electric eel.
dont-run-original
just-run-bliss
dont-run-virus
dont-run-bliss
just-run-original
exec
infect-file unsupported version
help help? hah! read the source!
/proc/loadavg %d.
loadav is %d
bliss was run %d sex ago, rep_wait=%d
/tmp/.bliss-tmp.%d execv /bin
PATH : /usr/spool/news /var/spool/news wow

Related Posts

This entry was posted on Wednesday, December 31st, 2008 at 8:15 am and is filed under Virus Threats.

Details
Linux.Bliss.a

This is nonmemory resident parasitic virus written in GNU C. It infects Linux OS only – infected files may be executed, and the virus may spread itself only under Linux. The virus searches for executable Linux files (ELF internal format) and infect them. While infecting, the virus shifts the file body down, write itself to the beginning of the file and append to the end of file the ID-text:
infected by bliss: 00010002:000045e4
It seems that the former hex number in these lines is a virus version, and the latter is the virus length – the virus lengths are 17892 and 18604 bytes.
When an infected file is run, the virus searches for not more than three non-infected files and infects them. If there are not any infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting, the viruses return control to the host program, and it will work correctly.
Linux is an access-protected system; i.e., users and programs may access only files that they have permission to. The same goes for a virus – it may infect only the files and directories that are declared as “write-able” for the current username. If the current username has total access (system administrator), the virus will infect all the files on the computer.
The virus seems to be “under debugging,” and while searching for files and infecting them, the virus displays several messages:
already infected
skipping, infected with same virus or a different type
replacing an older version
replacing ourselves with a newer version
infecting: bytes
infect() returning success
been to already!
traversing
our size is
copy() returning success
copy() returning failure
disinfecting:
not infected
couldn’t malloc bytes, skipping
couldn’t read() all bytes
read bytes
happy_commit() failed, skipping
couldn’t write() all bytes, hope you had backups!
successfully (i hope) disinfected
Debugging is ON
Disinfecting filesall
using infection log:
The virus also contains the text strings:
dedicated to rkd
/tmp/.bliss
asmlinkage int sys_umask(int mask)
mask&023000 return if(mask&023000) {{current->uid = current->euid =
current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l
rsh%s%s %s ‘cat>%s;chmod 777 %s;%s;rm -f %s’ doing popen(“%s” /.rhosts r
%s %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv
hosts.equiv: %s HOME –bliss- uninfect-files-please disinfect-files-please
version %d.%d.%d (%.8x)
Compiled on Sep 28 1996 at 22:24:03
Written by electric eel.
dont-run-original
just-run-bliss
dont-run-virus
dont-run-bliss
just-run-original
exec
infect-file unsupported version
help help? hah! read the source!
/proc/loadavg %d.
loadav is %d
bliss was run %d sex ago, rep_wait=%d
/tmp/.bliss-tmp.%d execv /bin
PATH : /usr/spool/news /var/spool/news wow

Related Posts

This entry was posted on Wednesday, December 31st, 2008 at 4:15 am and is filed under Virus Threats.