Classification

Category :

Malware

Type :

-

Aliases :

Tuxissa, Attack of the Tuxissa, April Fools Day Hoax

Summary

The below message warning about the attack of Tuxissa virus is an April Fools Day joke. There's no virus with this name and with such capabilities as described below.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Topic: Attack of the Tuxissa Virus
This advisory is intended primarily for network administrators
responsible for luser configuration and maintenance.
Attack of the Tuxissa Virus
March 29, 1999
What started out as a prank posting to comp.os.linux.advocacy
yesterday has turned into one of the most significant viruses in
computing history.
 The creator of the virus, who goes by the
moniker "Anonymous Longhair", modified the well-known Melissa[1]
virus to download and install Linux on infected machines.
"It's a work of art," one Linux advocate told Humorix after he
looked through the Tuxissa virus source code.
"This virus goes
well beyond the feeble troublemaking of Melissa."
The advocate
enumerated some of the tasks the virus performs in the
background while the user is blissfully playing Solitaire:
Once the virus is activated, it first works on propogating
itself. It has a built-in email harvesting module that downloads
all the pages referenced in the user's Internet Explorer
bookmarks and scans them for email addresses. Using Outlook, the
virus sends a copy of itself to every email address it comes
across.
After it has successfully reproduced, the virus begins the
tricky process of upgrading the system to Linux.
 First, the
virus modifies AUTOEXEC.BAT so that the virus will be
re-activated if the system crashes or is shut down while the
upgrade is in process. Second, the virus downloads a
stripped-down Slackware distribution, using a lengthy list of
mirror sites to prevent the virus from overloading any one
server.
Then the virus configures a UMSDOS filesystem to install Linux
on.
Since this filesystem resides on a FAT partition, there is
no need to re-partition the hard drive, one of the few actions
that the Word macro language doesn't allow.
Next, the virus uncompresses the downloaded files into the new
Linux filesystem.
The virus then permanently deletes all copies
of the Windows Registry, virtually preventing the user from
booting into Windows without a re-install. After modifying the
boot sector, the virus terminates its own life by rebooting the
system. The computer boots into the Slackware setup program,
which automatically finishes the installation of Linux.
Finally, the dazed user is presented with the Linux login prompt
and the text, "Welcome to Linux.
You'll never want to use
Windows again. Type 'root' to begin..."
The whole process take about two hours, assuming the user has a
decent Internet connection.
Since the virus runs invisibly in
the background, the user has no chance to stop it until it's too
late.
The email message that the virus is attached to has the subject
"Important Message About Windows Security".
The text of the
body says, "I want to let you know about some security problems
I've uncovered in Windows 95/98/NT, Office 95/97, and Outlook.
It's critically important that you protect your system against
these attacks.
Visit these sites for more information..."
The
rest of the message contains 42 links to sites about Linux and
free software.
Slashdot is one of those links.
"That could spell trouble," one
Slashdot expert told Humorix.
"Slashdot could fall victim to
the new 'Macro Virus Effect' if this virus continues to
propogate at its present exponential growth rate.
Red Hat's
portal site, another site present on the virus' links list,
seems to be quite sluggish right now..."
Details on how the virus started are a bit sketchy.
The
"Anonymous Longhair" who created it only posted it to Usenet as
an early April Fool's gag, a demonstration of how easy it would
be to mount a "Linux revolution".
Some other Usenet reader is
responsible for actually spreading the virus into the wild.
One
observer speculated, "I imagine the virus was first sent to the
addresses of several well-known spammers.
The virus probably
latched on to the spammer's email lists and began propagating at
a fantastic rate.
With no boundary to its growth, this thing
could wind up infecting every single Net-connected Wintel box in
the world.
Wouldn't that be a shame!"
Linus Torvalds, who just left for a two week vacation, was
unavailable for comment at press time.
We have a strong feeling
that his vacation will be cut short very soon...
[1] http://linuxtoday.com/stories/4463.html
James S. Baughn
http://i-want-a-website.com/about-linux/