Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Classic Viruses / File and Boot Viruses

Virus.Multi.Pelf.2132

Aliases
Virus.Multi.Pelf.2132 (Kaspersky Lab) is also known as: Pelf.2132 (Kaspersky Lab), Linux/Lindose (McAfee),   W32.Peelf.2132 (Symantec),   Win32/Linux.Benny.2132 (Doctor Web),   Linux/Lindose (Sophos),   Linux/Lindose.2132.A (RAV),   ELF_LINDOSE.A (Trend Micro),   W32/Winux (H+BEDV),   Unix/Lindose (FRISK),   Win32:Lindose (ALWIL),   Win32/Lindose (Grisoft),   Linux.PEELF.2132 (SOFTWIN),   W32.Winux (ClamAV),   ELF/Winux.2784 (Panda),   Elf/Lindose.2132 (Eset)
Description added Mar 28 2001
Behavior Virus
Technical details

(aka Lindose)

This is a harmless non-memory resident parasitic multipartite virus. It infects Windows executable files as well as Linux ones (Windows PE files and Linux ELF files).

The virus is written in Assembler, and is about 2.5 Kb in size. It does not manifest itself in any way, and it is like a multiplatform Windows-Linux virus concept.

The virus contains the text strings:

[Win32/Linux.Winux] multi-platform virus by Benny/29A
This GNU program is covered by GPL.

To infect executable files of both systems, and to spread under both these system, the virus routines are separated into two blocks: the former block is activated under Windows, it then looks for Windows and Linux executable files and infects them; the latter block is activated under Linux, looking for executables files and infecting them as well.

The Windows part

It searches for the all files in the current and upper directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each (Windows version).

The Linux part

This part searches for the all files in the current directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each type (Linux version).

Infecting Windows PE files

The virus scans for the ".reloc" section. If this section is found, the virus writes itself to the middle of the file. It saves the original Entry Point address, and restores the PE file after it has finished its work.

Infecting Linux ELF files

The virus writes itself to the Entry Point of the file. It saves original data at the end, and saves code from Entry Point and restores the ELF file after finishing its work.

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com