Bash is a simple but potentially dangerous bash script virus. Whether by intention or mistake, it can render an infected system totally unusable. In spite of a few coding mistakes, it was remarkable for its ability to efficiently infect a system.

Behavior

When a Bash-infected file is executed, it first checks if there is a copy of itself already running by looking in the /tmp directory for a file beginning with "vir-". If it doesn't find the file, it begins infection. It runs the original shell script to not arouse any suspicion that there is something wrong.

Bash uses find to search the system for uninfected files. When it finds one, it prepends its code to the file. Bash can infect an entire system in seconds, eventually finding shell script files on all mounted volumes. The system will become unbootable if it is turned off and may be difficult to recover.

Effects

The virus never spread very far outside of labs. While testing the virus, one French researcher noted that it manages to disrupt the whole system, reardless of what kind of privileges it's executed with. He observed the only ways to get rid of it would be to perforn a long boring manual disinfection or reinstall the system. It did appear in the wild on a computer in a German-speaking country.

Errors and Other Issues

One researcher based in France found the use of the find command to look for searching for files problematic for a few different reasons. One of the biggest was that it lacks stealth features. It also can cause a sinificant number of disk reads, which may alert the user to the virus's presence. Also, any misuse of find could cause error messages, also making its presence known.

There is one mistake in the code that may hinder the virus. The shell variable always returns $? always returns 0. A better idea would have been to use $!.

Sources

Eric Filiol. Computer viruses: from theory to applications, pp 199-203. Springer-Verlag France, Paris 2005.

SuSE Linux Forum, Gefahr? UNIX/Basher virus. 2003.09.10

Trend Micro Antivirus, UNIX_BASH.