LinuxSA Mailing list archives

  From: behoffski <behoffski@grouse.com.au>
  To  : linuxsa@linuxsa.org.au
  Date: Wed, 07 Apr 1999 09:12:47 +0930

A Linux virus found (extracted from RISKS-digest 20.29)

Date:   Tue, 30 Mar 1999 05:31:34 +0200
From: Anonymous <nobody@REPLAY.COM>
Subject: Attack of the Tuxissa Virus

  [Contributed belatedly by several RISKS readers.  TNX.  Sorry we could 
  not have included it in one of YESTERDAY'S three issues.  PGN]

LART* Advisory LA-99.01.Tuxissa
Original issue date: Apr. 0a, 1999
Last revised: --

Topic: Attack of the Tuxissa Virus

This advisory is intended primarily for network administrators
responsible
for user configuration and maintenance.

Attack of the Tuxissa Virus, March 29, 1999

What started out as a prank posting to comp.os.linux.advocacy yesterday
has
turned into one of the most significant viruses in computing history. 
The
creator of the virus, who goes by the moniker "Anonymous Longhair",
modified
the well-known Melissa [1] virus to download and install Linux on
infected
machines.

"It's a work of art," one Linux advocate told Humorix after he looked
through the Tuxissa virus source code.  "This virus goes well beyond the
feeble troublemaking of Melissa."  The advocate enumerated some of the
tasks
the virus performs in the background while the user is blissfully
playing
Solitaire.

Once the virus is activated, it first works on propagating itself. It
has a
built-in e-mail harvesting module that downloads all the pages
referenced in
the user's Internet Explorer bookmarks and scans them for e-mail
addresses.
Using Outlook, the virus sends a copy of itself to every e-mail address
it
comes across.

After it has successfully reproduced, the virus begins the tricky
process of
upgrading the system to Linux.  First, the virus modifies AUTOEXEC.BAT
so
that the virus will be re-activated if the system crashes or is shut
down
while the upgrade is in process. Second, the virus downloads a
stripped-down
Slackware distribution, using a lengthy list of mirror sites to prevent
the
virus from overloading any one server.

Then the virus configures a UMSDOS filesystem to install Linux on. 
Since
this filesystem resides on a FAT partition, there is no need to
re-partition
the hard drive, one of the few actions that the Word macro language
doesn't
allow.

Next, the virus uncompresses the downloaded files into the new Linux
filesystem.  The virus then permanently deletes all copies of the
Windows
Registry, virtually preventing the user from booting into Windows
without a
re-install.  After modifying the boot sector, the virus terminates its
own
life by rebooting the system. The computer boots into the Slackware
setup
program, which automatically finishes the installation of Linux. 
Finally,
the dazed user is presented with the Linux login prompt and the text,
"Welcome to Linux.  You'll never want to use Windows again.  Type 'root'
to
begin..."

The whole process take about two hours, assuming the user has a decent
Internet connection.  Since the virus runs invisibly in the background,
the
user has no chance to stop it until it's too late.

The e-mail message that the virus is attached to has the subject
"Important
Message About Windows Security".  The text of the body says, "I want to
let
you know about some security problems I've uncovered in Windows
95/98/NT,
Office 95/97, and Outlook. It's critically important that you protect
your
system against these attacks.  Visit these sites for more
information..."
The rest of the message contains 42 links to sites about Linux and free
software.

Slashdot is one of those links.  "That could spell trouble," one
Slashdot
expert told Humorix.  "Slashdot could fall victim to the new 'Macro
Virus
Effect' if this virus continues to propagate at its present exponential
growth rate.  Red Hat's portal site, another site present on the virus'
links list, seems to be quite sluggish right now..."

Details on how the virus started are a bit sketchy.  The "Anonymous
Longhair" who created it only posted it to Usenet as an early April
Fool's
gag, a demonstration of how easy it would be to mount a "Linux
revolution".
Some other Usenet reader is responsible for actually spreading the virus
into the wild.  One observer speculated, "I imagine the virus was first
sent
to the addresses of several well-known spammers.  The virus probably
latched
on to the spammer's e-mail lists and began propagating at a fantastic
rate.
With no boundary to its growth, this thing could wind up infecting every
single Net-connected Wintel box in the world.  Wouldn't that be a
shame!"

Linus Torvalds, who just left for a two week vacation, was unavailable
for
comment at press time.  We have a strong feeling that his vacation will
be
cut short very soon...

[1] http://linuxtoday.com/stories/4463.html

James S. Baughn  http://i-want-a-website.com/about-linux/

  [For those of you not familiar with the imagery, think about what
erect
  short-legged flightless aquatic-bird operating-system symbol seems to
be
  wearing a tux.  But then don't ask about who the Mel in Melissa is. 
PGN]

-----------------------------------

Some information on RISKS:

RISKS-LIST: Risks-Forum Digest  Friday 2 April 1999  Volume 20 : Issue
29

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
(comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann,
moderator

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is
comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or
equivalent) 
 if possible and convenient for you.  Alternatively, via majordomo, 
 SEND DIRECT E-MAIL REQUESTS to <risks-request@csl.sri.com> with
one-line, 
   SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
or
   INFO     [for unabridged version of RISKS information]
 .MIL users should contact <risks-request@pica.army.mil> (Dennis Rears).
 .UK users should contact <Lindsay.Marshall@newcastle.ac.uk>.
=> The INFO file (submissions, default disclaimers, archive sites, 
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html 
ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All 
 contributors are assumed to have read the full info file for
guidelines. ***
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 19" for volume
19]
 or http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume,
ISsue].
 PostScript copy of PGN's comprehensive historical summary of one
liners:
   illustrative.PS at ftp.sri.com/risks .



-- 
behoffski (Brenton Hoff) | Software Engineer, Grouse Software
behoffski@grouse.com.au  | http://www.grouse.com.au/

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject