-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sure enough, I ran it as root in my VMWare install and it infected a
bunch of files in /bin.
For some reason, tcpdump isn't catching any of the traffic it generates
though. I've tried it on the host against the vmnet8 interface and from
within the VM (after chmod'ing /dev/vmnet). I'm going to try it again
with a clean VM install.
Shashank Rai wrote:
| Hi Kirby,
|
| great work!! is it possible to get the gzipped files? BTW as for doze4
| ... a scan with f-prot (linux cmd line edition) identifies it as
| "Infection: Unix/RST.B". An online scan on
| http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
| Linux.RST.b
| Here is Spohos description of RST.B (from
| http://www.sophos.com/virusinfo/analyses/linuxrstb.html):
| ------
| Linux/Rst-B will attempt to infect all ELF executables in the current
| working directory and the directory /bin
|
| If Linux/Rst-B is executed by a privileged user then it may attempt to
| create a backdoor on the system. This is achieved by opening a socket
| and listening for a particular packet containing details about the
| origin of the attacker and the command the attacker would like to
| execute on the system.
| -----------
- --
Thank you,
Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBQJCG21unUZAE9MARAjS4AJsGTKXE6NzWIB/LEhCzOcf6FT+lqgCfVR7I
VasdVjiLdYO8SA4aXhVDZnQ=
=rzVd
-----END PGP SIGNATURE-----
