|Place of Origin||Australia|
|Platform||MS Windows, Linux|
|File Type(s)||.exe, ELF|
|Infection Length||~ 4,000 bytes|
The Bi virus is a cross-platform Windows and Linux virus.
When a file infected with Bi is executed, the virus looks for Windows Portable Executable and Linux ELF files in the current working directory. If the file is a Portable Executable file, the virus inserts itself into the last PE section. If the file is an ELF file, the virus inserts itself after the ELF header. It then executes the file's original program.
Bi takes up around 4 kilobytes, though this depends on the size of the file.
The following code can be found in the virus when opened with a hex or text editor:
[CAPZLOQ TEKNIQ 1.0] (c) 2006 JPanic: This is Sepultura signing off... This is The Soul Manager saying goodbye... Greetz to: Immortal Riot, #RuxCon!
Bi was discovered by Kaspersky Lab and described as a proof of concept virus. One technical consultant at Kaspersky predicted these kinds of attacks would become more common in the future. In fact, this kind of attack has been extremely rare, and the one example of a cross-platform attack used Java, a platform running on top of the OS rather than one running on a level requiring Assembly language.
The virus actually had problems working on some versions of Linux running kernel 2.6.17. The cause turned out to be an obscure compiler bug appearing when a program is compiled on a system where the kernel was compiled using the REGPARM kernel option. Linus Torvalds reasoned that both the bug and virus were benign and that if someone really wanted to do damage, they would have worked around the bug.
F-Secure Antivirus, Virus.Win32.Bi.a.
McAfee Antivirus, Linux/BiWiLi. 2006.04.10
Ryan Naraine. eWeek, Cross-Platform Sample Virus Targets Windows, Linux. 2006.04.07
*-zine, Interview with Sepultura.