bblee34 said:
hello and good evening to everyone?
Please can anyone tell me what virus this is and what harm can it do, rst
217.146.188.193.
Well Smart, that should be a Question to linux NG (unless you got it on MS
if so let us know), the one you got is a nasty Virus created specially for
Linux platform operating system,
http://217.146.188.193 is the web page the
virus would like to access also Creates an Exterior Gateway Protocol (EGP)
socket for backdoor purposes.
you get the virus through an e-mail or accessing a website and download an
infected application or let plug-ins installed on your Mozila auto that all
can lead to the infection, if the bad could or the Programmer for the could
or the user of that could was/were able to execute command on your linux
operating system platform then you know it is linux great for commands but if
it is from the owner not from a hacker side of things.
Bottom line if you have an old version try to get the UBUNTU, Gentoo is
good, but UBUNTU is friendly more than the later.
Virus name: Linux/RST.B or /A
<Quote>
The viral part works by attaching itself to normal ELF execu
tables, patching their header, and moving the entrypoint to the viral code.
At the same time, the virus relocates all the data found after the original
host code to the end of its own code.
It is interesting to note that the virus also performs an anti-debugging
check by seeing whether the current process is 'ptrace'-ed.
If so, it will immediately terminate execution.
If not, the virus looks for all the files in the current directory, and
attempts to infect them.
After this, it will also attempt to infect all the files in the '/bin'
directory, which under
normal conditions will only work if the infected
program has been run under an account with higher privileges.
There is no attempt in the viral code to exploit any Linux vulnerabilities
in order to
obtain higher access when the virus is run on a normal user account.
The backdoor part of the virus attempts to create two new devices
named "/dev/hdx1" and "/dev/hdx2", and if the creation succeeds, it checks
for the existence
of the two standard network interfaces 'eth0' or 'ppp0', and attempts to set
them
into "promiscuous" mode. It also attempts to create an "Exterior Gateway
Protocols" (EGP) raw
socket, and put it into listening mode.
When a special EGP IP packet arrives, the virus will check whether the 23rd
byte in
the data-packet is 0x11, then it will check for the presence of a specific
password, as a 3-byte string
at the offset 0x2a in the buffer. If these two conditions are met, the
backdoor will check for a "command" byte, which is either 1 or 2 - if the
"command" byte
is "1", it will spawn a standard "/bin/sh" shell, which the attacker can
control on the remote system.
Two strings can be seen inside the virus, but they are not used anywhere in
the code.
These strings are "snortdos" and "tory".
</Quote>
