Diesel | |
---|---|
Type | File virus |
Creator | Paddingx |
Date Discovered | 1999 |
Place of Origin | France |
Source Language | Assembly |
Platform | Linux |
File Type(s) | ELF |
Infection Length | 962 bytes |
Diesel is a harmless direct action infector virus for Linux that places its code in the middle of files it infects while preserving the part in the middle it would otherwise overwrite. It was created by Paddingx in France in 1999 and it appeared in 29A magazine for their 4th issue. It takes its name from some text found in the virus body describing diesel gas.
Behavior
The Diesel infection process illustrated |
---|
When a file infected with Diesel is executed, it searches for ELF executables in system directories and subdirectories. Before infecting the file, it removes code from the middle of the file, increases the file's size, then places that code at the end. The virus then places its body inside the removed middle section. Control is then returned to the original host.
It will not infect executables found in the /usr directory, in spite of the many potential hosts there. If run as root, infecting files in this directory will cause the system to crash, even when logging in.
The following text string can be found in the virus body:
/ home root sbin bin opt
[ Diesel : Oil, Heavy Petroleum Fraction Used In Diesel Engines ]
Variants
At least two variants of the original have appeared. They are 969 and 970 bytes long. These fix the issue of the system crashing with infection of files in the /usr directory.
Origin
Paddingx uses an email address with a .fr top-level domain, suggesing he comes from France. As 29A does not date their material, and a significant amount about this virus has been lost, so its date of origin has to be determined from clues about the virus and in Issue 4. The virus was tested on SuSE 6.3, released in 1999.11.05, and one article appearing in the 4th issue has a copyright date by Billy Belcebu in 1999, so it was likely released in the last two months of 1999.
Paddingx claimed inspiration from the Staog virus by Quantum of VLAD, and based much of the code on that virus. It does have a few differences, including that it works on all versions of the Linux kernel.
Sources
Paddingx. 29A Magazine, Issue 4, D I E S E L.
Kaspersky Lab. Viruslist, Virus.Linux.Diesel.962. 2002.02.08