Type File virus
Creator Cyneox
Date Discovered 2004
Place of Origin Germany
Source Language Assembly
Platform Linux
File Type(s) ELF
Infection Length 4,096 bytes

Binom, also known as Nibom is a Linux virus from 2004. It was quite similar to Rike, which had appeared in the previous year and also has similarities to Alqaeda. The virus is apparently able to also infect some ELF binaries under MacOSX. It was coded by Cyneox of the group DCA in Germany and the family has about four variants.


When a file infected with Binom is executed, it infects files in the current working directory. Due to bugs in the code, the file is unable to run after infection and produces an error message.

Inside the virus body, the following text strings can be found: "ELF file detected… " and "[[ Cyneox/DCA (C) Copyright 2004 ]]!".


Binom has at least three variants in addition to the original.


This 11,315 byte variant attempts to spawn a child process. If it fails, it will display the message "« ..You've been binomitized!..» by cyneox. »" and terminate. The child process attempts to retrieve the user ID and the group ID of the running malware process. It uses this to determine if it has the right to modify host files, since it can only infect as root and only goes for files in the /bin directory.

It first checks for the ELF marker to verify it is an ELF file. It also checks if there are 0x1000 (4,096 in decimal) bytes of empty space between code segments. If it doesn't find these, it moves on to the next potential file.

It does not modify the entry point. Being an entry point obscuring virus, it patches the first call instruction to ensure that its code executes.


Binom was coded by Cyneox of DCA. Originally from Romania, he had lived in Germany for roughly 3 years before coding the virus. He is also responsible for the viruses Caline, Nemox, and Nf3ct0r.


Positive Technologies. SecurityLab,Virus.Linux.Binom.a. (Russian) Binom – jauns vīruss priekš Linux. 2004.12.27 (Latvian)

Bryant Sy Tan. Trend Micro Antivirus, ELF_BINOM.C.

Interview with Cyneox 2005.02.20

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License