Virus Profile: Linux/Rst.a

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/10/2002
Date Added: 1/22/2003
Origin: Unknown
Length: 6973 bytes added on average
Type: Virus
Subtype: File Infector
DAT Required: 4221
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

-Changed Date and Time stamps

-Filesize increase, average 6973 bytes (decimal)

-Connections to remote machines

Methods of Infection

-Manually running the malicious file initializes the infection, if the user has emough rights to change (write to) files.



Virus Characteristics

The Linux/Rst.a virus was discovered in January 2002.

The virus is a direct-action virus, when executed, it will try to infect ELF binary executable files in the /bin directory and current directory.

Infected files have their date and time stamps changed to the moment the infection occurs.
Infected files have their filesize increased, dependent on system settings but on average 6973 bytes (decimal) are added. The virus changes the file's entrypoint (where the program code starts) and inserts its viral code. The virus is making use of anti-debugging techniques to make disassembly harder.

Apart from infecting ELF binary files, the virus tries to make the system vulnerable to remote usage by attackers. When a package send by attackers is received, the virus creates a connection and attackers can abuse a remote shell.

Note that the virus doesn't make use of a vulnerability to gain higher permissions like root rights so the infection will not be successfull for regular users.


Variants information
Virus Name Type Subtype Differences
Linux/Rst.b Virus File Infector Minor differences, infected ELF binary files have their filesize increased with 4096 bytes (decimal).
Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:








PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!