1. /
  2. Security Response/
  3. Linux.Simile

Linux.Simile

Risk Level 1: Very Low

Discovered:
May 22, 2002
Updated:
February 13, 2007 11:57:34 AM
Also Known As:
W32.Simile, {Win32, Linux}/Simile.D, {Win32, Linux}/Etap.D
Type:
Virus
Systems Affected:
Linux, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

{Win32,Linux}/Simile.D is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It is the first known polymorphic metamorphic virus to infect under both Windows and Linux. The virus contains no destructive payload, but infected files may display messages on certain dates. It is the fourth variant of the Simile family. This variant introduces a new infection mechanism on Intel Linux platforms, infecting 32-bit ELF files (a standard Unix binary format). The virus infects Portable Executable (PE) files as well as ELFs on both Linux and Win32 systems. So far Symantec has not received any submissions of this virus from customers.

NOTE: The {Win32,Linux} reference follows the CARO (Computer Anti-virus Researchers Organization) standard naming convention. This is meant to imply that a threat can infect across multiple platforms, Win32 and Linux. Another such example would be {Win32,W97M}.



Norton AntiVirus detects the virus as W32.Simile in infected PE files and as Linux.Simile in infected ELF files. As a result, we have two different platform identifiers for this virus and detect the family of this virus under a single generic name without the usual variant letters in the name.

Portable Executable (PE) files
PE files are files that are portable across all Microsoft 32-bit operating systems. The same PE-format executable can be executed on any version of Windows 95, 98, Me, NT, and 2000. Therefore, all PE files are executable, but not all executable files are portable.

A good example of a Portable Executable is a screen saver (.scr) file.

Antivirus Protection Dates

  • Initial Rapid Release version May 30, 2002
  • Latest Rapid Release version May 30, 2002
  • Initial Daily Certified version May 30, 2002
  • Latest Daily Certified version May 30, 2002
  • Initial Weekly Certified release date June 5, 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Low
Writeup By: Frederic Perriot

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver