Type File virus
Creator Wintermute
Date Discovered 2000.10
Place of Origin Spain
Source Language Assembly
Platform Linux
File Type(s) ELF
Infection Length 338 bytes

LoTek is a Linux virus coded by 29A member Wintermute. LoTek is a remarkably simple virus written in 166 lines of assembly code (not including comments). As a cavity infector, it infects the .note section of an ELF file that is intended for programmers, but often left empty. The virus was inspired in part by a hacker meeting in Barcelona where some people did not believe Linux could even be infected by a virus.


When LoTek is executed, it uses the system's memory file mapping syscalls to locate files in the current directory. The virus checks a few things like whether it is an ELF, whether it is set to executable, and whether it is large enough. When it finds a file, it places itself in the .note section, where developers are supposed to indicate the compatibility of the file, but rarely bother so it is often empty. After the virus has been placed in .note, it makes a new entry point, then closes mapping, and then the file.

In the body of the virus, the text "LoTek By Wintermute" can be found. After every 32 infections, the LoTek attempts to change the hostname of the infected machine. This will only work if the user executing the virus has the privileges to do anything with the hostname. On some systems, this may be restricted to root.

The virus has no deliberately destructive routines. It is also restricted to the priveleges of the user executing it, so unless the user is logged in as root, it will be restricted to a few of the user's files.


LoTek was coded in autumn of 2000 in Spain by Wintermute. It appeared in issue 5 of 29A magazine. Wintermute was partially inspired to write the virus after HackMeeting Barcelona'00 where he made a speech about Linux viruses and their risks. Apparently, there were some people who still were not convinced Linux could be infected. Still, Wintermute believed Linux was a very secure operating system at the time and had great admiration and respect for the Linux community.


There are three versions of the virus, including the original, all by the original coder. They are mostly similar with extremely minor variations in size.


Wintermute. 29A Magazine, Issue 5, Lotek. 2000.10

Kaspersky Lab. Securelist.pl, Linux.Winter.

Billy Belcebu, Interview with Wintermute. 1999

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License