McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Linux.Binom (Symantec)

• Linux.Nibom.A (ClamAV)

Characteristics

Detection was added for an ELF file type binary file infector. Such files are encountered on Linux/Unix systems but also the latest MacOS binary files have this filestructure. ELF type viruses are very specific with regards to operating system type/kernel/version so the chance that the virus will effectively infect other binary files is pretty low.

There's a dropper file originally called "binom" , having a filesize of 7390 bytes. Upon running this dropper file, it searches for other ELF files to infect recursively. Note that the dropper is not required at all, it may be used only to enhance the initial spreading.

Infected files have their filesize increased with 4096 bytes decimal.

The virus doesn't change the entrypoint (EP) virtual address nor does it change the actual bytes at the EP fileoffset itself. Instead the viral code is added towards end of the loadable segment.

A visible string present inside infected files includes: " [ Cyneox/DCA "

Symptoms

• ELF type binary files have their filesize increased with 4096 bytes
• Presence of the string as mentioned above in binary files.

Method of Infection

• Manual execution of the binary ELF file.

Removal

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Linux.Binom (Symantec)

• Linux.Nibom.A (ClamAV)

Characteristics

Characteristics -

Detection was added for an ELF file type binary file infector. Such files are encountered on Linux/Unix systems but also the latest MacOS binary files have this filestructure. ELF type viruses are very specific with regards to operating system type/kernel/version so the chance that the virus will effectively infect other binary files is pretty low.

There's a dropper file originally called "binom" , having a filesize of 7390 bytes. Upon running this dropper file, it searches for other ELF files to infect recursively. Note that the dropper is not required at all, it may be used only to enhance the initial spreading.

Infected files have their filesize increased with 4096 bytes decimal.

The virus doesn't change the entrypoint (EP) virtual address nor does it change the actual bytes at the EP fileoffset itself. Instead the viral code is added towards end of the loadable segment.

A visible string present inside infected files includes: " [ Cyneox/DCA "

Symptoms

Symptoms -

• ELF type binary files have their filesize increased with 4096 bytes
• Presence of the string as mentioned above in binary files.

Method of Infection

Method of Infection -

• Manual execution of the binary ELF file.

Removal -

Removal -

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants -

N/A