Aliases: Bi.A, Biwili.A, Capzloq, ELF/BiWiLi.A, ELF_BI.A
Variants: PE_BI.B, Virus.Linux.Bi.a, Virus.LinuxBi.a, Virus.Win32.Bi.a, W32/Biwili.A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32/Linux
Discovered: 10 Apr 2006
Damage: Low

Characteristics: The W32/Linux.Bi program is a file infector virus. It is a 1287 code segment that is either appended at the end or inserted before the beginning of the executable file it finds.

More details about W32/Linux.Bi

W32/Linux.Bi is a parasitic virus that affects both Linux and Windows Operating System. It infects binary executable files of 4Kb to 4Mb in size. The W32/Linux.Bi virus is written in assembler and only infects files within its directory. This virus is created as a classic proof of concept code. It is designed to simply show that it is possible to create cross platform viruses, thus it does not cause any actual harm and destructive effects on infected computers. However, it may spread by simply launching an already infected file, and may be propagated by any typical means of transmission such as CD, floppy, thumb drives, and email. The W32/Linux.Bi virus is hard to recognize because it does not show any messages indicating that the virus has already reached the machine.

When the W32/Linux.Bi is active, it searches for binary executable files to infect in the current directory or folder where it is run from. Due to the virus presence, the size of the file that has been infected is increased. Also, the date and time of infected files is changed the moment the infection occurred. Infection of the W32/Linux.Bi virus is through manual execution of the executable file. The W32/Linux.Bi infects ELF (Executable Linking Format) and PE (Portable Executable) structure used by Linux and Windows platform. It infects by using INT 80 system calls and injects its body into the file.