Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Classic Viruses / File and Boot Viruses

Virus.Linux.Vit.4096

Aliases
Virus.Linux.Vit.4096 (Kaspersky Lab) is also known as: Linux.Vit.4096 (Kaspersky Lab), Linux/Vit (McAfee),   Linux.Vit.4096 (Symantec),   Linux.Vit.4096 (Doctor Web),   Linux/Vit-4096 (Sophos),   Linux/Vit.4096 (RAV),   ELF_VIT.4096 (Trend Micro),   Linux/Vit.4096 (H+BEDV),   Unix/Vit (FRISK),   LINUX:Silly (ALWIL),   Linux.Vit.4096 (SOFTWIN),   LINUX.Vit.4096 (ClamAV),   Linux/Vit.4096 (Panda),   Elf/Vit.4096 (Eset)
Description added Mar 07 2000
Behavior Virus
Technical details

This is a nonmemory resident parasitic virus. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. This is the second known Linux virus, the first being "Linux.Bliss".

Linux is a access-protected system; i.e., users and programs may access only files that they have permission to. The same is true for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on a computer.

When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers. 

Clean file:                     Infected file:

+---------------+               +---------------+
|  ELF Headers  |--+            |  ELF Headers  |--+
|               |  |            |               |  |
|---------------|  |            |---------------|<-+ virus entry
|  Section 1    |<-+ entry    +-|    Virus      |    address
|               |    address  | | - - - - - - - |
|---------------|             +>|  Section 1    |
|  Section 2    |               |               |
|---------------|               |---------------|
. . .                          |  Section 2    |
|---------------|               |---------------|
|  Section n    |                . . .
+---------------+               |---------------|
|  Section n    |
+---------------+

The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them.

While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx).

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com