[4023] in bugtraq
Re: Bliss: The Facts (fwd)
daemon@ATHENA.MIT.EDU (Aleph One)
Sun Feb 9 21:52:53 1997
Date: Sun, 9 Feb 1997 19:56:38 -0600
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@netspace.org
In-Reply-To: <Pine.LNX.3.95.970209120816.7804A-100000@pc5829.hil.siemens.at>;
from Ingo Molnar on Feb 9, 1997 12:09:38 +0100
Ingo Molnar writes:
> ----- Forwarded message from Alan Cox -----
>
> From: alan@lxorguk.ukuu.org.uk (Alan Cox)
> Subject: Bliss: The Facts
> Date: Sat, 8 Feb 1997 01:24:30 +0000 (GMT)
>
> 1. Bliss is a real program
>
> 2. Its really a trojan rather than a virus, but has a few simple worm
> like properties.
Unfortunately, Alan's 'facts' seem to be based on the faulty comments of
others, and not actually having looked at the program.
It is indeed a virus, and there are two versions of it. The first, which
was posted to usenet some months ago, did not run the original if the
infected binary is not in the current directory. The second searches the
path and properly runs the original.
It is correct that it has a few simple worm-like properties.
> It works like this
>
> When it runs it attempts to replace some system binaries with itself
> and move the system binaries into /tmp/.bliss. Having done this
> it runs /tmp/.bliss/programname
It prepends itself to some binaries (searching the path, and some other
places). It logs infections to the file /tmp/.bliss (filename, time, and
apparantly the virus version). When an infected binary is run, it extracts
the original to /tmp and execs it.
All of this is readily observable after spending just a few minutes playing
with the program.
