Staog is the first Linux virus. It came from Australia created by Quantum of VLAD, the same group that created Bizatch, the first Windows 95 virus. It is a simple memory resident virus with none of the stealth or polymorphic capabilities found in its contemporaries on DOS and Windows.

Behavior

When executed, Staog becomes memory resident. It infects files as they are executed. Staog uses three known vulnerabilities (which have since been patched) to gain root privileges. Two are buffer overflows, one in mount and the other in tip and a bug in suidperl. This way it installs itself in kernel memory and can infect files regardless of what user or privilege level.

The virus will not work on most if not all versions of Linux from after 1997. The vulnerabilities it uses to get root-level privileges have been patched since the creation of the virus. Quantum himself noted that it can only work on the version 1.2.13 kernel

Effects

Staog is not known to have ever been wild, and it had no destructive payload, so it likely never caused any damage. It did for some people destroy the illusion that Linux was completely invulnerable to viruses. To this day however many people believe either that viruses simply do not exist for Linux, Linux is completely invulnerable to what viruses do exist for it or that the stricter separation of root and regular users (which Staog found a way to get around) protects them from viruses. Macintosh users have similar illusions about their preferred operating system, while Apple products (not necessarily the Macintosh OS) were infected with the first actual virus, Elk Cloner. Macmag, Scores and Wdef were also known viruses for the Macintosh OS.

Sources

Quantum. VLAD #7, STAOG Linux Virus.

Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : Linux/Staog.