Virus Database

Vofca Family

Description Vofca Family

These are very dangerous overwriting viruses. They write themselves to the beginning of the file and do not save/restore original file header. The viruses contain the text:
VoFcA

Vofca.174
It is a memory resident virus. When an infected file is executed, the virus hooks INT 21h, displays the message:
EXEC failure

and returns to DOS. When any file is executed, the virus overwrites it.
Vofca.238,275
These viruses search for .COM and .EXE files and overwrite them, then display the message:
Incorrect DOS version

and return to DOS. These viruses also contain the text:
\/ar Cannibal Animal

Check other viruses! Be aware! Use Antiviral Software

Linux.RST

Description Linux.RST

This text was written by Costin Raiu, Kaspersky Labs, Romania
This is a Linux virus that also implements several backdoor facilities, allowing an attacker to take control of the system infected with it in case the virus has been executed on account with root priviledges. The virus infects all the Linux binary executables in the current directory and the /bin directory, and listens to the first network card 'eth0' as well on the first PPP connection interface, and 'ppp0' for special packets sent in the EGP communication protocol. Whenever such a special package arrives, the virus allows the attacker to take control of the system with a root shell.
The virus will also attempt to create two new devices in the /dev directory, named "/dev/hdx1" and "/dev/hdx2", and tries to access a Web page on the ns1.xoasis.com web server.
Technical details:
The viral part works by attaching itself to normal ELF executables, patching their header, and moving the entrypoint to the viral code. At the same time, the virus relocates all the data found after the original host code to the end of its own code. It is interesting to note that the virus also performs an anti-debugging check by seeing whether the current process is 'ptrace'-ed. If so, it will immediately terminate execution. If not, the virus looks for all the files in the current directory, and attempts to infect them. After this, it will also attempt to infect all the files in the '/bin' directory, which under normal conditions will only work if the infected program has been run under an account with higher privileges. There is no attempt in the viral code to exploit any Linux vulnerabilities in order to obtain higher access when the virus is run on a normal user account.
The backdoor part of the virus attempts to create two new devices named "/dev/hdx1" and "/dev/hdx2", and if the creation succeeds, it checks for the existence of the two standard network interfaces 'eth0' or 'ppp0', and attempts to set them into "promiscuous" mode. It also attempts to create an "Exterior Gateway Protocols" (EGP) raw socket, and put it into listening mode.
When a special EGP IP packet arrives, the virus will check whether the 23rd byte in the data-packet is 0x11, then it will check for the presence of a specific password, as a 3-byte string at the offset 0x2a in the buffer. If these two conditions are met, the backdoor will check for a "command" byte, which is either 1 or 2 - if the "command" byte is "1", it will spawn a standard "/bin/sh" shell, which the attacker can control on the remote system.
Two strings can be seen inside the virus, but they are not used anywhere in the code. These strings are "snortdos" and "tory".

Linux.Satyr.a

Description Linux.Satyr.a

This is a harmless non-memory resident parasitic Linux virus. The virus is a Linux executable module (ELF file). It searches for other ELF files in the system, and then infects them. The virus infects files in the following directories:
current directory
parent directory
~/ (user root directory)
~/bin (user /bin directory)
~/sbin (user /sbin directory)
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/bin/X11
While infecting, the virus moves a victim's file contents down, and writes itself to the file header. To release control to the host file, the virus "disinfects" it to a temporary file and executes it.
The virus does not manifest itself in any way. Its body contains the "copyright" text string:
unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], http://shitdown.sf.cz

Home