Bi

Type	File virus
Creator	Sepultura
Date Discovered	2006.04.06
Place of Origin	Australia
Source Language	Assembly
Platform	MS Windows, Linux
File Type(s)	.exe, ELF
Infection Length	~ 4,000 bytes

The Bi virus is a cross-platform Windows and Linux virus.

Table of Contents

Behavior

When a file infected with Bi is executed, the virus looks for Windows Portable Executable and Linux ELF files in the current working directory. If the file is a Portable Executable file, the virus inserts itself into the last PE section. If the file is an ELF file, the virus inserts itself after the ELF header. It then executes the file's original program.

Bi takes up around 4 kilobytes, though this depends on the size of the file.

The following code can be found in the virus when opened with a hex or text editor:

[CAPZLOQ TEKNIQ 1.0] (c) 2006 JPanic:
This is Sepultura signing off...
This is The Soul Manager saying goodbye...
Greetz to: Immortal Riot, #RuxCon!

Effects

Bi was discovered by Kaspersky Lab and described as a proof of concept virus. One technical consultant at Kaspersky predicted these kinds of attacks would become more common in the future. In fact, this kind of attack has been extremely rare, and the one example of a cross-platform attack used Java, a platform running on top of the OS rather than one running on a level requiring Assembly language.

Compiler bug-fix

The virus actually had problems working on some versions of Linux running kernel 2.6.17. The cause turned out to be an obscure compiler bug appearing when a program is compiled on a system where the kernel was compiled using the REGPARM kernel option. Linus Torvalds reasoned that both the bug and virus were benign and that if someone really wanted to do damage, they would have worked around the bug.

Origin

Text inside the virus indicates it was coded by Sepultura, from Australia who has been coding viruses since the 1990's. He worked with such groups and magazines as Immortal Riot and Insane Reality.