Also, there they should be able to describe the difference
between a trojan horse, worm, and virus to you.
- Jared
Eric Hoeltzel graced my mailbox with this long sought knowledge:
>
> I haven't paid any attention to the virus scene for quite a while
> but the Bliss thing got me wondering. Found this at datafellows
> site, if anyone is interested. Doesn't look to me like being a
> Linux virus writer has any long term career opportunities.
>
> Regards,
> Eric
>
>
> NAME: Staog
> SIZE: 4744
>
> This virus spreads only under Linux operating system, infecting
> Elf-style executables. Found in the fall of 1996, Staog is the
> first known Linux virus.
>
> Staog is written in assembler. It attempts to stay resident and
> infect binaries as they are executed by any user. Stoag tries to
> subvert root access via three known vulnerabilities (mount buffer
> overflow, tip buffer overflow and one suidperl bug).
>
> Staog contains several text strings, including:
>
> Staog by Quantum / VLAD
> /dev/kmemx/etc/mtab~
> /sbin/mount
> /tmp/t.dip
> /bin/sh
> /sbin/dip /tmp/t.dip
> chatkey
> /tmp/hs
> #!/bin/sh\nchmod 666 /dev/kmem\n/tmp/hs
> #!/usr/bin/suidperl -U\n$ENV{PATH}=\"/bin:/usr/bin\";
> \n$>=0;$<=0;\nexec(\"chmod 666 /dev/kmem\");\n
>
> VLAD is an Australian virus group, which also wrote the first Windows
> 95 virus, Boza.
>
> Staog can be detected by searching all binaries for the following hex
> search string:
>
> 215B31C966B9FF0131C0884309884314B00FCD80
>
> Staog is not known to be in the wild at the time of this writing
> (February 1997).
>
> [Analysis: Mikko Hypponen, Data Fellows Ltd's F-PROT Pro Support]
>