Linux.Simile
Discovered on: May 22, 2002
Last Updated on: May 29, 2002 at 08:58:01 PM PDT
{Win32,Linux}/Simile.D is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It is the first known polymorphic metamorphic virus to infect under both Windows and Linux. The virus contains no destructive payload, but infected files may display messages on certain dates. It is the fourth variant of the Simile family. This variant introduces a new infection mechanism on Intel Linux plaforms, infecting 32-bit ELF files (a standard Unix binary format). The virus infects PE files as well as ELFs on both Linux and Win32 systems. So far Symantec has not received any submission of this virus from customers.
When the virus is first executed, it checks the current date. If the virus host is PE file, then on the 17th of March or September, a message box is displayed that looks like the following:
If the host is an ELF file, then on the 17th of March or the 14th of May, the virus attempts to output a text message to the console similar to the caption of the message box:
The first Win32/Linux cross-infector, {Win32,Linux}/Peelf, used two separate routines to carry out the infection on PE and ELF files. On the other hand Simile.D shares a substantial amount of code between the two infection functions, such as the polymorphic/metamorphic engines, the only platform-specific parts being the directory traversal code and the API usage.
The virus was confirmed to infect successfully under versions 6.2, 7.0 and 7.2 of Red Hat Linux, and it very likely works on most other common Linux distributions.
Infected files will grow by about 110KB on average, but the size increase is variable due to the shrinking and expansion capability of the metamorphic engine and to the insertion method.
platform independent virus..win32/linux
Reply With Quote