[plug] [Fwd: Tuxissa Virus: Modified Melissa Virus Alert]

Bill Cullen billc at wantree.com.au
Wed Apr 7 21:21:00 WST 1999


Ok,

It's no longer April 1st but what the hell.

>
============================================================================
=
> LART* Advisory LA-99.01.Tuxissa
> Original issue date: Apr. 0a, 1999
> Last revised: --
>
> Topic: Attack of the Tuxissa Virus
>
> This advisory is intended primarily for network administrators responsible
for
> luser configuration and maintenance.
>
>
> Attack of the Tuxissa Virus
> March 29, 1999
>
> What started out as a prank posting to
> comp.os.linux.advocacy yesterday has turned into one of the
> most significant viruses in computing history.   The
> creator of the virus, who goes by the moniker "Anonymous
> Longhair", modified the well-known Melissa[1] virus to
> download and install Linux on infected machines.
>
> "It's a work of art," one Linux advocate told Humorix after
> he looked through the Tuxissa virus source code.  "This
> virus goes well beyond the feeble troublemaking of
> Melissa."  The advocate enumerated some of the tasks the
> virus performs in the background while the user is
> blissfully playing Solitaire:
>
> Once the virus is activated, it first works on propogating
> itself. It has a built-in email harvesting module that
> downloads all the pages referenced in the user's Internet
> Explorer bookmarks and scans them for email addresses.
> Using Outlook, the virus sends a copy of itself to every
> email address it comes across.
>
> After it has successfully reproduced, the virus begins the
> tricky process of upgrading the system to Linux.   First,
> the virus modifies AUTOEXEC.BAT so that the virus will be
> re-activated if the system crashes or is shut down while
> the upgrade is in process. Second, the virus downloads a
> stripped-down Slackware distribution, using a lengthy list
> of mirror sites to prevent the virus from overloading any
> one server.
>
> Then the virus configures a UMSDOS filesystem to install
> Linux on.  Since this filesystem resides on a FAT
> partition, there is no need to re-partition the hard drive,
> one of the few actions that the Word macro language
> doesn't allow.
>
> Next, the virus uncompresses the downloaded files into the
> new Linux filesystem.  The virus then permanently deletes
> all copies of the Windows Registry, virtually preventing
> the user from booting into Windows without a re-install.
> After modifying the boot sector, the virus terminates its
> own life by rebooting the system. The computer boots into
> the Slackware setup program, which automatically finishes
> the installation of Linux.  Finally, the dazed user is
> presented with the Linux login prompt and the text,
> "Welcome to Linux.  You'll never want to use Windows again.
> Type 'root' to begin..."
>
> The whole process take about two hours, assuming the user
> has a decent Internet connection.  Since the virus runs
> invisibly in the background, the user has no chance to stop
> it until it's too late.
>
> The email message that the virus is attached to has the
> subject "Important Message About Windows Security".  The
> text of the body says, "I want to let you know about some
> security problems I've uncovered in Windows 95/98/NT,
> Office 95/97, and Outlook. It's critically important that
> you protect your system against these attacks.  Visit these
> sites for more information..."  The rest of the message
> contains 42 links to sites about Linux and free software.
>
> Slashdot is one of those links.  "That could spell
> trouble," one Slashdot expert told Humorix.  "Slashdot
> could fall victim to the new 'Macro Virus Effect' if this
> virus continues to propogate at its present exponential
> growth rate.  Red Hat's portal site, another site present
> on the virus' links list, seems to be quite sluggish right
> now..."
>
> Details on how the virus started are a bit sketchy.  The
> "Anonymous Longhair" who created it only posted it to
> Usenet as an early April Fool's gag, a demonstration of how
> easy it would be to mount a "Linux revolution".  Some other
> Usenet reader is responsible for actually spreading the
> virus into the wild.  One observer speculated, "I imagine
> the virus was first sent to the addresses of several
> well-known spammers.  The virus probably latched on to the
> spammer's email lists and began propagating at a fantastic
> rate.  With no boundary to its growth, this thing could
> wind up infecting every single Net-connected Wintel box in
> the world.  Wouldn't that be a shame!"
>
> Linus Torvalds, who just left for a two week vacation, was
> unavailable for comment at press time.  We have a strong
> feeling that his vacation will be cut short very soon...
>
>
>
> --- --- --- ---
>
> Check the date.
> Check the date.
> Check the date.
>
> --- --- --- ---


More information about the plug mailing list