[lug] Scary precedent, W32.Winux virus

D. Stimits stimits at idcomm.com
Wed Mar 28 15:40:14 MST 2001


rm at mamma.varadinet.de wrote:
> 
> On Wed, Mar 28, 2001 at 11:54:55AM -0700, D. Stimits wrote:
> 
> > I saw it. The author was no script kiddie, it was written in x86
> > assembler.
> 
> Did you see the actual code? How does it handle the two different
> ABIs? What kind of header does it have? I'd like to see code that
> can convince both Win and linux loaders that it's PE and ELF.

I haven't seen the actual code, but I wondered some of the same things.
I would guess it has two entry points to the code, and wouldn't mind
seeing myself how the asm is compiled. On linux of course, you could
trick the user into running some sort of compile or link, since the
tools are always there; for windows there are likely a lot of ways you
could attempt to insert inline object code that isn't checked for
validity ahead of time. It would be interesting to run ldd on the code.

D. Stimits, stimits at idcomm.com

> 
>   Ralf
> 
> > FYI, here are links:
> > http://dailynews.yahoo.com/h/nm/20010327/wr/virus_winux_dc_1.html
> > http://support.avx.com/cgi-bin/command/solution?11=010327-0017&130=0985731825
> >
> > On the up side, it requires a linux user to actually run the program
> > before it will attack, there doesn't seem to be a way to automate it,
> > aside from tricking the user into running it.
> >
> > D. Stimits, stimits at idcomm.com



More information about the LUG mailing list