[lug] Scary precedent, W32.Winux virus

rm at mamma.varadinet.de rm at mamma.varadinet.de
Wed Mar 28 16:12:29 MST 2001


On Wed, Mar 28, 2001 at 03:40:14PM -0700, D. Stimits wrote:
[...]
	
> I haven't seen the actual code, but I wondered some of the same things.
> I would guess it has two entry points to the code, and wouldn't mind
> seeing myself how the asm is compiled. On linux of course, you could
> trick the user into running some sort of compile or link, since the
> tools are always there; for windows there are likely a lot of ways you
> could attempt to insert inline object code that isn't checked for
> validity ahead of time. It would be interesting to run ldd on the code.

Yes, from what i understand it adds it's own code to the ELF binary and
puts the original code at the end. What i don't understand is how
it fools the loader into thinking that this is an ELF binary. Linux
looks at the first vew bytes of a file to detect whether it's actually
an elf binary ('^?ELF^A^A^...') If so it jumps to the apropriate place
in the file and starts executing (well, gross simplification ;-)
Would Win eat an ELF binary and execute it?
This would make a great showpiece . Well, the thingy is GPLed ...

 Ralf




More information about the LUG mailing list