The worm, which infects Windows PE and Linux ELF executable files, is considered a low risk and carries no destructive payload. It simply burrows its way into the file tree and tries to infect as many files as it can.
Even though there have been no reported cases of infection by the virus--which is incapable of spreading itself via the Internet or email--some anti-virus vendors hailed the program, known variously as "Winux" and "Lindose," as marking the beginning of a new era of virus writing.
"Even though it is not spreading, Winux has set a new level in malicious code creation through its ability to attack both Linux and Windows," said Ian Hameroff, business manager for security solutions at Computer Associates.
A time waster
Other observers, however, say the virus is rudimentary and, as it has little chance of spreading, not particularly noteworthy.
"It's only interesting in the sense that it shows virus writers are becoming more interested in Linux," said Graham Cluley, senior technology consultant at Sophos anti-virus vendor. "It's very simple and not likely to spread on any big scale. Its real effect is wasting people's time."
Late last week, a worm called "Lion" began infecting some Linux DNS servers running certain version of the Berkeley Internet Name Domain (BIND) DNS software.
Winux was allegedly written by someone named Benny who claims to be a member of a virus-writing group called 29A. On machines running Microsoft's Windows 95, 98, ME, NT or 2000 software, the virus searches for all files located in the current folder and all of the folders above it on the file tree. It opens each file and infects all of the executables by overwriting the .reloc section of the file.
On Linux machines, Winux overwrites ELF executables and then stores the original code at the end of the executable. When the infected file is opened, the code takes control, spreads itself again and then returns control to the host file.
