Threat Description

Tuxissa

Details

Category: Malware
Platform: W32
Aliases: Tuxissa, Attack of the Tuxissa, April Fools Day Hoax

Summary


The below message warning about the attack of Tuxissa virus is an April Fools Day joke. There's no virus with this name and with such capabilities as described below.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Topic: Attack of the Tuxissa Virus  This advisory is intended primarily for network administrators  responsible for luser configuration and maintenance.  Attack of the Tuxissa Virus  March 29, 1999  What started out as a prank posting to comp.os.linux.advocacy  yesterday has turned into one of the most significant viruses in  computing history.   The creator of the virus, who goes by the  moniker "Anonymous Longhair", modified the well-known Melissa[1]  virus to download and install Linux on infected machines.  "It's a work of art," one Linux advocate told Humorix after he  looked through the Tuxissa virus source code.  "This virus goes  well beyond the feeble troublemaking of Melissa."  The advocate  enumerated some of the tasks the virus performs in the  background while the user is blissfully playing Solitaire:  Once the virus is activated, it first works on propogating  itself. It has a built-in email harvesting module that downloads  all the pages referenced in the user's Internet Explorer  bookmarks and scans them for email addresses. Using Outlook, the  virus sends a copy of itself to every email address it comes  across.  After it has successfully reproduced, the virus begins the  tricky process of upgrading the system to Linux.   First, the  virus modifies AUTOEXEC.BAT so that the virus will be  re-activated if the system crashes or is shut down while the  upgrade is in process. Second, the virus downloads a  stripped-down Slackware distribution, using a lengthy list of  mirror sites to prevent the virus from overloading any one  server.  Then the virus configures a UMSDOS filesystem to install Linux  on.  Since this filesystem resides on a FAT partition, there is  no need to re-partition the hard drive, one of the few actions  that the Word macro language doesn't allow.  Next, the virus uncompresses the downloaded files into the new  Linux filesystem.  The virus then permanently deletes all copies  of the Windows Registry, virtually preventing the user from  booting into Windows without a re-install. After modifying the  boot sector, the virus terminates its own life by rebooting the  system. The computer boots into the Slackware setup program,  which automatically finishes the installation of Linux.  Finally, the dazed user is presented with the Linux login prompt  and the text, "Welcome to Linux.  You'll never want to use  Windows again. Type 'root' to begin..."  The whole process take about two hours, assuming the user has a  decent Internet connection.  Since the virus runs invisibly in  the background, the user has no chance to stop it until it's too  late.  The email message that the virus is attached to has the subject  "Important Message About Windows Security".  The text of the  body says, "I want to let you know about some security problems  I've uncovered in Windows 95/98/NT, Office 95/97, and Outlook.  It's critically important that you protect your system against  these attacks.  Visit these sites for more information..."  The  rest of the message contains 42 links to sites about Linux and  free software.  Slashdot is one of those links.  "That could spell trouble," one  Slashdot expert told Humorix.  "Slashdot could fall victim to  the new 'Macro Virus Effect' if this virus continues to  propogate at its present exponential growth rate.  Red Hat's  portal site, another site present on the virus' links list,  seems to be quite sluggish right now..."  Details on how the virus started are a bit sketchy.  The  "Anonymous Longhair" who created it only posted it to Usenet as  an early April Fool's gag, a demonstration of how easy it would  be to mount a "Linux revolution".  Some other Usenet reader is  responsible for actually spreading the virus into the wild.  One  observer speculated, "I imagine the virus was first sent to the  addresses of several well-known spammers.  The virus probably  latched on to the spammer's email lists and began propagating at  a fantastic rate.  With no boundary to its growth, this thing  could wind up infecting every single Net-connected Wintel box in  the world.  Wouldn't that be a shame!"  Linus Torvalds, who just left for a two week vacation, was  unavailable for comment at press time.  We have a strong feeling  that his vacation will be cut short very soon...  [1] http://linuxtoday.com/stories/4463.html  James S. Baughn  http://i-want-a-website.com/about-linux/  





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More