Re: [masq] 1st virus in Linux :( (fwd)

Jon Tombs (
Tue, 11 Feb 1997 17:25:57 +0100 (MET)

Neil Moore said:

> > Doom is actually one of two programs: xdoom or sdoom. I think there is
> > also a framebuffer version of xdoom. (That's the case in quake) sdoom
> > uses svgalib and requires that suid root is set. xdoom works w/o suid.
> > svgalib sucks anyway...
> I meant, "Why not delete the executable you would be removing
> suid from?" I meant sdoom here, as (hopefully) no one installs
> xdoom suid root anyway.

A small observation about this thread.

As of 2.0.x linux removed the setuid bit when you modify a binary. So even if
sdoom was installed setuid root. The moment the bliss adds its signature, or
moves the binary to /tmp, the setuid bit will be removed.

Also in linux/unix the virus will modify the inode change time, so detecting
the virus is trivial...


Jon. <,>