NuxBee
NuxBee
Type File virus
Creator Bumblebee
Date Discovered 29-NOV-2001
Place of Origin Spain
Source Language Assembly
Platform Linux
File Type(s) ELF
Infection Length 1,411 bytes

Nuxbee is a Linux virus by Bumblebee.

Behavior

When executed, NuxBee searches for files in the current working directory /bin/ directory. It may display the message "NuxBee by Bumblebee activated." and "Have a nice day!". It will write itself to the middle of the file to the entry point offset. If it has root (admin) access, it will do the same with ELF files in the /bin/ folder. It then takes the original portion of the file from thjat location, encrypts them and writes them to the end of the file.

To restore an original file, the virus reads and encrypts the original bytes from the host file. It uses file mapping functions to infect files. All system functions are summoned by INT 80h.

Inside the virus's code, one can find the text string that is never displayed: "NuxBee by Bumblebee - The NeXt Frontier".

Variants

There is one variant that is 1,403 bytes long. It is functionally similar to the original. It contained a bug that caused problems with its /bin/ file infection.

Origin

NuxBee was coded in Spain by Bumblebee. This was his first Linux virus. It appeared in the 6th issue of 29A magazine. Bumblebee developed NuxBee on Mandrake 7.1 Kernel 2.2.16 using NASM and conducted a partial test on this platform. He conducted a full test on Mandrake 6.1 with Kernel 2.2.11. Bumblebee released the source code under a GPL 2 license.

Sources

Bumblebee. 29A Magazine, Issue 6, NuxBee.

Kaspersky Lab, SecureList, Virus.Linux.Nuxbee.1403.

Jimelle Monteser. Trend Micro, ELF_NUXBEE.A. 06-JUL-2017

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License