[4010] in bugtraq
Re: [linux-security] Re: Linux virus
daemon@ATHENA.MIT.EDU (Leejay Wu)
Wed Feb 5 13:04:45 1997
Date: Wed, 5 Feb 1997 11:48:49 -0500
Reply-To: Leejay Wu <fuego+@CMU.EDU>
From: Leejay Wu <fuego+@CMU.EDU>
X-To: linux-security@tarsier.cv.nrao.edu
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199702051016.CAA20294@antares.starshine.org>
Excerpts from internet.computing.linux-security: 5-Feb-97
[linux-security] Re: Linux .. by Jim Dennis@starshine.org
> > Today I became infected with the bliss virus, any info on this would be
> > appreciated! How do I scan for files infected and is it possible to
> > remove it? I first noticed the infection when running a program (not as
> > root) messages flashed on the screen about transversing directories and
> > such. The program (gimp) had been working fine since I downloaded the
> > binary for gimp from their main site. The gimp people told me they have
> > not been receiving complaints their binaries are infected, so something
> > else must be the source.
Memory plus a Dejanews search reveals seven posts last fall that were
crossposted to... alt.comp.virus, comp.os.linux.misc, and comp.security.unix.
(dejanews filter:
newsgroups: comp.os.linux.*
subject: bliss
)
-- The original post was a forgery with the subject "oops, I leaked an
alpha copy of Bliss", crossposed to comp.os.linux.misc, *alt.comp.virus*,
and comp.security.unix ..., posted Sep. 29, 1996, with these headers as
archived by dejanews:
Subject: oops, I leaked an alpha copy of Bliss (i386-linux-elf
binary only)
From: nobody@aol.com
Date: 1996/09/29
Message-Id:
<i.forged.this.post.cause@i.dont.want.it.to.be.known.who.leaked.this.earl
y>
X-Mail2news-Path: news.demon.net!agora.rdrop.com!191.87.208.4
X-Nntp-Posting-User: nobody@"[191.87.208.4]"
Newsgroups: alt.comp.virus,comp.os.linux.misc,comp.security.unix
-- Perhaps somebody has already tried to track that down? Or has a full copy
of the original post? That's the first mention of it that I remember, or
that Dejanews found in comp.os.linux.* ...
-- This provided a UUencoded gzipped file titled 'bliss.gz', that was
discussed as having the properties cited recently (searching through the
PATH and infecting files).
-- In the same set of seven posts, there's an strace, the original of
a recently reposted post on removing bliss, and a dump of the strings
in the binary.
Hope that helps.
--Leejay Wu- PGP keyprint: 00 27 9C F3 2B ED 9C 30 86 F7 B2 07 C9 6D 52 0D--
| <fuego+@cmu.edu> ...there is no light but for darkness... conflict brings |
| truth... I speak for none but myself... finger for W3 URLs, PGP stuff |
--Carpe carp --- Information is power ---- this .sig last revised 960905-----
