CULTe : Home | Association | Reunions | Projets | Listes de diffusion | Recherche | Best of Linux-31 | Trombinoscope

(Courriels de diversion: <emmagasine@saxonnes-surgelent.com> <civettes@debroussailles-banjos.com> <fissuraient@arroser-vengees.com> <equipages@inutilisables-recomposerais.com> <ingenierent@gradue-decevons.com> <premedite@râlera-anciennes.com> <grincerait@eliminaient-croisera.com> <fourreront@masure-disseques.com> <luisant@basses-recru.com> <souffriez@marrerait-fleurettistes.com> ) 

Vu sur comp.risks:

This advisory is intended primarily for network administrators responsible
for user configuration and maintenance.

What started out as a prank posting to comp.os.linux.advocacy yesterday has
turned into one of the most significant viruses in computing history.  The
creator of the virus, who goes by the moniker "Anonymous Longhair", modified
the well-known Melissa [1] virus to download and install Linux on infected
machines.

"It's a work of art," one Linux advocate told Humorix after he looked
through the Tuxissa virus source code.  "This virus goes well beyond the
feeble troublemaking of Melissa."  The advocate enumerated some of the tasks
the virus performs in the background while the user is blissfully playing
Solitaire.

Once the virus is activated, it first works on propagating itself. It has a
built-in e-mail harvesting module that downloads all the pages referenced in
the user's Internet Explorer bookmarks and scans them for e-mail addresses.
Using Outlook, the virus sends a copy of itself to every e-mail address it
comes across.

After it has successfully reproduced, the virus begins the tricky process of
upgrading the system to Linux.  First, the virus modifies AUTOEXEC.BAT so
that the virus will be re-activated if the system crashes or is shut down
while the upgrade is in process. Second, the virus downloads a stripped-down
Slackware distribution, using a lengthy list of mirror sites to prevent the
virus from overloading any one server.

Then the virus configures a UMSDOS filesystem to install Linux on.  Since
this filesystem resides on a FAT partition, there is no need to re-partition
the hard drive, one of the few actions that the Word macro language doesn't
allow.

Next, the virus uncompresses the downloaded files into the new Linux
filesystem.  The virus then permanently deletes all copies of the Windows
Registry, virtually preventing the user from booting into Windows without a
re-install.  After modifying the boot sector, the virus terminates its own
life by rebooting the system. The computer boots into the Slackware setup
program, which automatically finishes the installation of Linux.  Finally,
the dazed user is presented with the Linux login prompt and the text,
"Welcome to Linux.  You'll never want to use Windows again.  Type 'root' to
begin..."

The whole process take about two hours, assuming the user has a decent
Internet connection.  Since the virus runs invisibly in the background, the
user has no chance to stop it until it's too late.

The e-mail message that the virus is attached to has the subject "Important
Message About Windows Security".  The text of the body says, "I want to let
you know about some security problems I've uncovered in Windows 95/98/NT,
Office 95/97, and Outlook. It's critically important that you protect your
system against these attacks.  Visit these sites for more information..."
The rest of the message contains 42 links to sites about Linux and free
software.

Slashdot is one of those links.  "That could spell trouble," one Slashdot
expert told Humorix.  "Slashdot could fall victim to the new 'Macro Virus
Effect' if this virus continues to propagate at its present exponential
growth rate.  Red Hat's portal site, another site present on the virus'
links list, seems to be quite sluggish right now..."

Details on how the virus started are a bit sketchy.  The "Anonymous
Longhair" who created it only posted it to Usenet as an early April Fool's
gag, a demonstration of how easy it would be to mount a "Linux revolution".
Some other Usenet reader is responsible for actually spreading the virus
into the wild.  One observer speculated, "I imagine the virus was first sent
to the addresses of several well-known spammers.  The virus probably latched
on to the spammer's e-mail lists and began propagating at a fantastic rate.
With no boundary to its growth, this thing could wind up infecting every
single Net-connected Wintel box in the world.  Wouldn't that be a shame!"

Linus Torvalds, who just left for a two week vacation, was unavailable for
comment at press time.  We have a strong feeling that his vacation will be
cut short very soon...

-- 
Nail [X] here for new monitor.

 _______________________________________________________________________
  Le CULTe sur le ouebe: http://savage.iut-blagnac.fr/

Cette page fait partie des archives des listes de diffusion de l'association CULTe.

A l'intention des mechants robots qui parcourent notre site a la recherche d'adresses electroniques a cibler avec des pourriels, voici une liste d'adresses pourries.