Linux.Zariche.1 is a file virus designed to infect binary ELF files located in the folder from which the virus is launched. ELF files are used by many Unix-like operating systems (for example, Linux, FreeBSD, and Solaris) for their executables.
Once it is launched on the infected computer, Linux.Zariche.1 runs a search for ELF files in the current folder using the “0x464C457F” signature at zero offset. Each detected ELF file is parsed for the “=TMZ=” string that the virus uses as an infection marker. If the string is found, the virus considers the file to be infected.
Next, the virus loads the executable file into the computer's memory and encrypts it with the AES algorithm using the “guilhermethomazi” key and the IV of “0123456789101112”. Then Linux.Zariche.1 replaces the original file with the virus's copy adding the encrypted data to the end of this file.
Once the infection process is complete, Linux.Zariche.1 compares the size of its running file with the value stored in the virus code. If the current size is larger, the virus enters the encrypted data into the “.hostbytes<rnd>” file (“rnd” stands for a random number in the range from 0 to 100), decrypts the data, rewrites the file, and then launches it.
There is a modification of Linux.Zariche.1 that does not employ the AES encryption. Instead of it, this version of the virus adds the data from the original ELF file to the end of the infected object.
