Virus.Linux.Alaeda (Kaspersky Lab)
is also known as:
Linux.Alaeda (Kaspersky Lab),
Linux/Alaeda (McAfee), Linux.Alaeda (Symantec), Linux/Alaeda-A (Sophos), Linux/Alaeda.A (Grisoft), Linux.Alaeda.A (SOFTWIN), Linux/Alaeda.A (Panda), Linux/Alaeda.A (Eset)
| Description added |
May 24 2007 |
| Behavior |
Virus |
Alaeda is a non-resident virus. It infects systems running Linux, and is written
in Assembler. It infects ELF format files in the current directory.
When infecting, the virus modifies the entry point of the original file, passing
control to the infection routine. It modified the file's ELF header. Before
infecting, the victim machine will be checked to see if it can be infected.
The .text section of the file to be infected must be of a minimum size for malicious
code to be injected.
The virus writes its body to the .text section; the size of the infected file
will not change, making it harder to detect infection.
Once the virus body has delivered its payload, control is returned to the
program code.
Repeat infection of an already infected file is prevented by a "!" flag placed
in a reserved, unused byte which is not used by the interpreter in the ELF header
at offset Fh.
The following strings can be found in infected files:
AL-QAEDA 1-02-032
With help of Allah I will die for Allah
