|Date Discovered||< 1998|
|Place of Origin|
|File Type(s)||a.out, ELF|
When Snoopy is executed, it creates a directory named "^E". The virus searches the current working directory for Unix executable files, checking them for an .X23 extension. If it finds a file with the extension .X23, it will not infect any files with the same name but no extension (for example, a file named ROX will not be infected if it finds ROX.X23). Snoopy does not discriminate between binaries and script files, as it is a companion and simply moves and replaces them with itself. It adds .X23 to the name of files it finds. It then copies itself as the original file name.
Snoopy then sets its permissions to readable, writable and executable by the current user and group the user belongs to. The virus adds the user name "snoopy" for every file it infects and will update this in the master password. It moves all files with the .X23 extension to the ^E directory.
A possibly earlier version behaves in a similar way, but uses an .X21 extension. This version is explored in The Giant Black Book.
Snoopy produced a few variants, few of which were vary different from the original. The originals were a.out files, a format that has been rendered obsolete in the Unix world with ELF files. Later versions were ELFs.
The exact origin of this virus seems to have been lost. Its place of origin appears to be totally unknown. Its date of origin is likely some time before 1998, given two variants appear in the second edition of Mark Ludwig's Giant Black Book of Computer Viruses.
Trend Micro. Threat Encyclopedia, ELF_SNOOPY.
McAfee. Threat intelligence, Linux/Snoopy.b
Mark A. Ludwig. The Giant Black Book of Computer Viruses, Chapter 20 "Unix Virus", pp. 266-268. American Eagle Publications: Show Low, Arizona. 1998