Malware type: Elf Executable

Aliases: Virus.Linux.RST.b (Kaspersky), Linux.RST.B (Symantec), LINUX/Rst.B (Avira), Linux/Rst-B (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Linux/UNIX

Encrypted: No

Overall risk rating:


This backdoor malware runs on Linux/UNIX platforms and infects ELF files in the current and /bin directories. This Linux backdoor and virus compromises system security by allowing remote users to manipulate and access infected machines.

For additional information about this threat, see:

Description created: Jan. 14, 2002 10:49:23 AM GMT -0800
Description updated: Oct. 13, 2002 3:14:07 AM GMT -0800


Size of malware: 4096 Bytes

Initial samples received on: Jan 12, 2002

Payload 1: Compromises Network Security

Trigger condition 1: Upon execution


Upon execution, this virus first creates a child process. The orginal parent process executes the host program while the child proceeds to infect files and listen to ports.

File Infection

This malware searches for a maximum of 30 target executable ELF files each in the current and /bin directories. It only infects files that are executable.

It infects ELF files by searching for the first PT_LOAD segment, which are the loadable segments in an ELF file and may contain executable codes and data. It extends the size of this segment by 4096 bytes and inserts its viral code in this new space. It then modifies the file�s entry point and sets it to the address of the viral code. It adjusts sections, headers, and other segments so that the host file is not corrupted.

This virus does not reinfect files. It knows if a file is already infected by checking if its entry point is located 4096 bytes from the end of the first PT_LOAD segment.

Files infected with this virus contain the following text strings:


Backdoor Process

This virus also acts as a backdoor program. After infecting other programs, the child process connects to 207.<blocked>.155.21 via port 80. This IP address points to xo<blocked>sis.com, which does not appear to contain malicious code.

It sends a GET request to the server, to download a file gov.php. This file is not present on the server � the virus more probably uses the command to get the infected user�s IP address.

Then, it sets the network devices, �eth0� and �ppp0�, to promiscuous mode, which allows the devices to intercept and read each network packet that arrives. This allows a local attacker to run a sniffer tool, which can retrieve information such as passwords from the target system.

If it receives a packet containing the string �DOM� at a particular offset and with the command byte of 1, then an attacker can execute arbitrary commands on the target system, which may include file manipulation commands. At this point, the attacker is able to remotely control the target system.

Otherwise, if the command byte is 2, it sends back the string �DOM� using port 4369.


Minimum scan engine version needed: 5.200

Pattern file needed: 1.200.00

Pattern release date: Jan 12, 2002

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.


Scan your system with Trend Micro antivirus and delete all files detected as ELF_RST.B. To do this, Trend Micro customers must download the latest pattern file and scan their system.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.