Virus.Linux.Alaeda

Class Virus
Platform Linux
Description

Technical Details

Alaeda is a non-resident virus. It infects systems running Linux, and is written in Assembler. It infects ELF format files in the current directory.

When infecting, the virus modifies the entry point of the original file, passing control to the infection routine. It modified the file’s ELF header. Before infecting, the victim machine will be checked to see if it can be infected. The .text section of the file to be infected must be of a minimum size for malicious code to be injected.

The virus writes its body to the .text section; the size of the infected file will not change, making it harder to detect infection.

Once the virus body has delivered its payload, control is returned to the program code.

Repeat infection of an already infected file is prevented by a “!” flag placed in a reserved, unused byte which is not used by the interpreter in the ELF header at offset Fh.

The following strings can be found in infected files:

AL-QAEDA 1-02-032
With help of Allah I will die for Allah