[lug] Scary precedent, W32.Winux virus
rm at mamma.varadinet.de
rm at mamma.varadinet.de
Wed Mar 28 16:18:27 MST 2001
On Wed, Mar 28, 2001 at 04:08:33PM -0700, Michael J. Pedersen wrote:
[...]
> The code replaces the entry code for PE executables. If the PE area is too
> small for that exe, then the file doesn't get infected. For ELF, it places
> itself at the beginning of the file, and moves the real startup code to the
> end.
>
> Doing this would be fairly easy. Have a body of code which has two headers
> available to it. One for PE, one for ELF. Write the correct header, which
> calls the actual body of the code, and that's about it. Nothing special or
> magical about it.
Ah, i see, but than it's more than trivial. I got the impression that
it can be executed on both OSs. Hmm, thinking about it: how would it
'cross-infect' ? If i get the Linux version on a Win box it can't run
(wrong binformat) and if i get the Win version it'll run, but it's very
unlikely that it'll find linux binaries to infect (i think i read something
about the virus scanning the current directory, parent etc. Very unlikely
places to find linux binaries).
> The only worthwhile thing about it is that since it hadn't been done before,
> the author should be able to get a patent on it, especially with the way the
> USPTO is working these days ;)
Ralf
More information about the LUG
mailing list