Linux/BiWiLi

-- Update April 10, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

Techworld.com: New virus threatens Linux and Windows PCs

BiWiLi is a binary virus that is able to infect executable binary files in the Windows and Linux environments.

Detection for infected Windows PE executable files is provided with the W32/BiWiLi driver.

Detection for infected Linux ELF executable files is provided with the Linux/BiWiLi driver.

Although this is not a very common technique, it's not the first time. Some time ago also the W32/Etap.d and Linux/Lindose viruses were able to infect in a similar way.

The virus is a direct action file infector, it searches the current directory, where it is run from, for suitable binary executable files to infect.

Infected files have their filesize increased due to the virus bytes presence. The number of bytes being added to the executable files varies, it depends on the original filesize and on the disk geometry.

The date and time of infected files is changed to the moment the infection occurs.

Infected files have some visibible strings inside, for example, but not limited to:

• JPanic
• Sepultura

Infection starts with a manual execution of a malicious executable.

Detection is included in the specified DAT release.

Administrators should regularly check for availability of important security updates/patches.