Linux/OSF-8759 aka Linux/OSF-A Virus Cleaner
--------------------------------------------

               by Druid <druid@vmatrics.org>


After getting my computer infected with this damn virus I searched the net
for a program to clean it. Because I couldn't find any, I wrote one ;)

This program will scan the filesystem and tell you if you have this virus.
When the virus is found, it will desinfect the file and hopefully restore
the file to its original form.

Run make and he'll create a file clean-osf.8759-ps.
Why clean-osf.8759-ps? Because the virus won't infect files ending in ps :P

To start, run: ./clean-osf.8759-ps -v /
and he'll start scanning and ask you what to do when a virus is found
To see more options, run without any args.

When it is first executed, the virus runs a backdoor which listens on port
3049 or above (read analysis below) and will appear in the process list
as one of the infected files (ex: "netstat", "ls").

If the virus is found, I recommend you reboot after you clean it, or find
the PID of the backdoor and kill it.


Taken from some virus analysis on the net, uhh... don't remeber exactly who wrote it:

> OSF.8759 is a Linux virus infecting ELF executable programs.
>
> OSF consists of two quite distinct parts: a viral part and a backdoor part.
>
> The virus checks if its code is executed under the debugger and if so, it skips
> the file infection routine altogether. This routine is also avoided if the
> infected file is executed from the /proc or /dev directories. Otherwise, it
> infects up to 201 files in the current directory as well as up to 201 files in
> the /bin directory. The virus avoids infecting the "ps" program (and all programs
> with names ending with the string "ps").
>
> Infected files increase their size by 8759 bytes. The virus marks all infected
> programs by setting a value of the byte at offset 0x0A to 2.
>
> The backdoor procedure establishes a server listening on port 3049 (or higher).
> Depending on the contents of packets received from a client OSF may present a
> remote user with an interactive shell or execute commands on a local system using
> the syntax: "/bin/sh -c command".


http://www.vMatriCS.oRg

Greetz: vMatriCS + Casper & the other Dionis admins (including me :))

-mY master iz Druid
