Neox is a space-filling Linux virus When a file infected with Neox is executed, it looks for ELF executables in the current directory and tries to infect all of them. It opens each file and checks that it is an ELF by validating the magic number (0x7F454C46 or '\x7FELF'). It then checks the ELF header to see if it is suitible for infection. It then maps the file into memory, then reads its program headers and section headers.

Neox attempts to find sufficient space in the target ELF's memory layout to inject itself, requiring 4,096 bytes in memory. It then patches the ELF headers, updating the program header to expand memory mappings. It also adjusts the section header offsets to account for the viral code. Then it writes its code into the target ELF in unused gaps. Likely redirects the entry point to run the virus first, then passes control back to the host program. It takes special care to ensure the program runs properly after infection.

Neox was coded by Cyneox, a Romanian coder who did much of his work in Germany. The date this virus first appeared has been lost, but he was active in the mid-2000s. The only sources are our original research.