Re: Staog virus

Jared Mauch (
Sat, 8 Feb 1997 21:33:48 -0500 (EST)

Once again, please take this to a security list as it has nothing
to do with kernel development. If any of these things exploit a known
kernel bug, they belong here, otherwise please leave this list alone.

Also, there they should be able to describe the difference
between a trojan horse, worm, and virus to you.

- Jared

Eric Hoeltzel graced my mailbox with this long sought knowledge:
> I haven't paid any attention to the virus scene for quite a while
> but the Bliss thing got me wondering. Found this at datafellows
> site, if anyone is interested. Doesn't look to me like being a
> Linux virus writer has any long term career opportunities.
> Regards,
> Eric
> NAME: Staog
> SIZE: 4744
> This virus spreads only under Linux operating system, infecting
> Elf-style executables. Found in the fall of 1996, Staog is the
> first known Linux virus.
> Staog is written in assembler. It attempts to stay resident and
> infect binaries as they are executed by any user. Stoag tries to
> subvert root access via three known vulnerabilities (mount buffer
> overflow, tip buffer overflow and one suidperl bug).
> Staog contains several text strings, including:
> Staog by Quantum / VLAD
> /dev/kmemx/etc/mtab~
> /sbin/mount
> /tmp/t.dip
> /bin/sh
> /sbin/dip /tmp/t.dip
> chatkey
> /tmp/hs
> #!/bin/sh\nchmod 666 /dev/kmem\n/tmp/hs
> #!/usr/bin/suidperl -U\n$ENV{PATH}=\"/bin:/usr/bin\";
> \n$>=0;$<=0;\nexec(\"chmod 666 /dev/kmem\");\n
> VLAD is an Australian virus group, which also wrote the first Windows
> 95 virus, Boza.
> Staog can be detected by searching all binaries for the following hex
> search string:
> 215B31C966B9FF0131C0884309884314B00FCD80
> Staog is not known to be in the wild at the time of this writing
> (February 1997).
> [Analysis: Mikko Hypponen, Data Fellows Ltd's F-PROT Pro Support]