Central Command Discovers W32.Winux

The First Virus That Can Infect Both Windows And Linux Systems

MEDINA, Ohio–(BUSINESS WIRE)–March 27, 2001–Central Command, a leading provider of PC anti-virus software and computer security services, and its partners today announced the discovery of W32.Winux, the world’s first cross platform virus capable of infecting computers using both the Microsoft Windows and Linux operating systems.

“Today with the discovery of W32.Winux, we have received the world’s first known virus capable of spreading on both Windows and Linux computer systems. While people do not share executables between these operating systems, this new proof of concept virus represents a technology innovation that may lead to more destructive viruses in the future. Our Emergency Virus Response Team(TM) discovered this new virus and has analyzed it,” said Steven Sundermeier, Product Manager at Central Command Inc.


Name: Win32.Winux / Linux.Winux


Detection added: March 27, 2001

Spread Method: by infecting files under both Windows and Linux

operating system


W32.Winux is a non-memory resident virus. It can replicate under Windows 95/98/Me/NT/2000 (Win32) and Linux systems and infects PE files (Windows executable) and ELF files (Linux executable). The infection method is basic. It searches for all files located in current folder and its parent folders and opens every file. If a target file is a PE or ELF executable the appropriate infection routine is called:

Win32 infection routine:

Infection is done by overwriting the .reloc section of PE executable. If the .reloc section size is not large enough to hold the virus body, the file is not infected. It uses the following API functions to infect other files: FindFirstFileA, FindNextFileA, FindClose, CreateFileA, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, CloseHandle, VirtualAlloc, VirtualFree, WriteFile, SetFilePointer, GetCurrentDirectoryA, SetCurrentDirectoryA

Linux infection routine:

ELF executables are infected by the overwriting instructions at the entry point. The original code is then stored at the end of ELF executable. When an infected ELF application is executed, the virus code takes control, spreads further and then passes control to the host file.

“It is believed to have originated out of the Czech Republic and does not have a destructive payload.” concluded Sundermeier.

W32.Winux contains internal text strings. It also contains the following text: “(Win32/Linux.Winux) multi-platform virus by Benny/29A” and “This GNU program is covered by GPL.”

Please visit www.avx.com for a complete virus description.

AVX Professional starts at $38.95, and a free 30-day trial version may be downloaded from www.avx.com or obtained by contacting Central Command toll-free at 866/2-GET-AVX (866/243-8289).

About Central Command:

A leader in the anti-virus industry, Central Command, Inc., a privately held company, was founded in 1990 and serves home PC users and industrial, government, financial, education and service firms with virus protection software, services, and information. The company services customers in over 65 countries and is headquartered in Medina, Ohio.

Central Command, EVRT, Emergency Virus Response Team are trademarks of Central Command, Inc. AVX and AntiVirus eXpert are trademarks of Softwin SRL, Romania. All other trademarks, trade names, and products referenced herein are property of their respective owners.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss