Win32.Sandman.4096
Description Win32.Sandman.4096
It is a primitive parasitic Win32 companion virus. It has PE format (Win32 Portable Executable), but affects any files that have .EXE extension (DOS EXE, Win16 NE, Win32 PE files). The virus searches for .EXE files in the current directory, renames them with .EYE extension and writes itself on the place of host file. To pass control to original program the virus executes .EYE file by using standard Windows WinExec call, as a result infected files of any format (DOS, Win16/32) will be executed without problems.
The virus contains the text string:
[Hong Kong, by Mister Sandman/29A]
Check other viruses! Be aware! Use Antiviral Software
Linux.Satyr.a
Description Linux.Satyr.a
This is a harmless non-memory resident parasitic Linux virus. The virus is a Linux executable module (ELF file). It searches for other ELF files in the system, and then infects them. The virus infects files in the following directories:
current directory
parent directory
~/ (user root directory)
~/bin (user /bin directory)
~/sbin (user /sbin directory)
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/bin/X11
While infecting, the virus moves a victim's file contents down, and writes itself to the file header. To release control to the host file, the virus "disinfects" it to a temporary file and executes it.
The virus does not manifest itself in any way. Its body contains the "copyright" text string:
unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], http://shitdown.sf.cz
Linux.Vit.4096
Description Linux.Vit.4096
This is a nonmemory resident parasitic virus. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. This is the second known Linux virus, the first being "Linux.Bliss".
Linux is a access-protected system; i.e., users and programs may access only files that they have permission to. The same is true for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on a computer.
When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers.
Clean file: Infected file:
+---------------+ +---------------+
| ELF Headers |--+ | ELF Headers |--+
| | | | | |
|---------------| | |---------------|<-+ virus entry
| Section 1 |<-+ entry +-| Virus | address
| | address | | - - - - - - - |
|---------------| +>| Section 1 |
| Section 2 | | |
|---------------| |---------------|
. . . | Section 2 |
|---------------| |---------------|
| Section n | . . .
+---------------+ |---------------|
| Section n |
+---------------+
The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them.
While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx).
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|