Lindose is a cross-platform virus that is able to infect both
Windows PE and Linux ELF executables. This is proof of concept
virus and has not been found from the field.
When the virus is executed on Windows, it searches for both PE
and ELF executables and infects them. The ELF files are infected
by prepending the virus code increasing the file size by 2784
bytes.
When infecting PE files, the virus overwrites relocation data
section if it is present. If relocation section is not present in
a file, the virus doesn't infect it. The virus checks the size of
relocation section prior to infection to ensure that its code
could fit in there. If the size is not enough, the virus doesn't
infect this file.
When the virus is executed on Linux, it infects both ELF and Windows
executables. However, no case conversion happens.
The virus is not resident in either platform. It doesn't have any
payload.
Infected files contain following text strings:
[Win32/Linux.Winux] multi-platform virus
This GNU program is covered by GPL.
F-Secure Anti-Virus with current updates detects infected Windows
PE files with heuristics.
[Analysis: Sami Rautiainen, Katrin Tocheva, Alexey Podrezov; F-Secure; March 28th, 2001]
