# Is my Perl spreading a virus?  Or detecting one?

## BitJam

I've hit a bizarre problem that I don't understand.  I was writing yet another Perl filter program to munge up some other code.  I noticed that when I ran the Perl program and had the output sent to stdout, characters would fill my command line.

I reduced the Perl program to:

```
#!/usr/bin/perl

while (<>) {

    print;

}
```

and the problem persisted although if I write that same program from scratch, it acts normally.  If I copy the program to another file and run it then it acts normally.   The problematic program plays the same tricks regardless of what the input file is.

Here is a hexdump -C of the Perl code that is acting up:

```
00000000  23 21 2f 75 73 72 2f 62  69 6e 2f 70 65 72 6c 0a  |#!/usr/bin/perl.|

00000010  0a 77 68 69 6c 65 20 28  3c 3e 29 20 7b 0a 20 20  |.while (<>) {.  |

00000020  20 20 70 72 69 6e 74 3b  0a 7d 0a 0a              |  print;.}..|

0000002c
```

A little more investigation showed that the top of the output file was overwritten with binary.  Writing this raw binary to the screen is what was causing a bunch of characters to show up on my command line.  The binary about 9K bytes (update: I had previously said 717 bytes) long and starts with hex 7F followed by "ELF" which makes me suspect it is a tiny executable and suspect that a virus is involved.

I've recently had a couple of crashes due to quickly running out of memory.  The last time this happened I suspected Spam-Assassin because almost nothing else was running.  It is now disabled.  My wild guess is that SA was processing malicious email that used an OOM condition to infect Perl.

Edit: If I store the binary in a file and then run the "file" program on it I get:

```
 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
```

Edit-2: I re-emerged Perl but the problem persisted.   It seems to be related to the path and filename of the executable Perl script.  Sometimes copying and/or renaming fixes the problem and sometimes it doesn't.    Changing the shebang line to:[code[#!/usr/bin/env perl[/code]does not fix the problem.  Even running it via Perl directly does not fix the problem:

```
perl Tools/renumber-parts.pl
```

If I rename the program to rnp.pl then the problem goes away.

Below is a hexdump of the start of the binary that gets spit out:

```
00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|

00000010  02 00 3e 00 01 00 00 00  9c 0e 40 00 00 00 00 00  |..>.......@.....|

00000020  40 00 00 00 00 00 00 00  68 21 00 00 00 00 00 00  |@.......h!......|

00000030  00 00 00 00 40 00 38 00  0a 00 40 00 1b 00 1a 00  |....@.8...@.....|

00000040  06 00 00 00 05 00 00 00  40 00 00 00 00 00 00 00  |........@.......|

00000050  40 00 40 00 00 00 00 00  40 00 40 00 00 00 00 00  |@.@.....@.@.....|

00000060  30 02 00 00 00 00 00 00  30 02 00 00 00 00 00 00  |0.......0.......|

00000070  08 00 00 00 00 00 00 00  03 00 00 00 04 00 00 00  |................|

00000080  70 02 00 00 00 00 00 00  70 02 40 00 00 00 00 00  |p.......p.@.....|

00000090  70 02 40 00 00 00 00 00  1c 00 00 00 00 00 00 00  |p.@.............|

000000a0  1c 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|

000000b0  01 00 00 00 05 00 00 00  00 00 00 00 00 00 00 00  |................|

000000c0  00 00 40 00 00 00 00 00  00 00 40 00 00 00 00 00  |..@.......@.....|

000000d0  b4 11 00 00 00 00 00 00  b4 11 00 00 00 00 00 00  |................|

000000e0  00 00 20 00 00 00 00 00  01 00 00 00 06 00 00 00  |.. .............|

000000f0  e0 1d 00 00 00 00 00 00  e0 1d 60 00 00 00 00 00  |..........`.....|

00000100  e0 1d 60 00 00 00 00 00  b0 02 00 00 00 00 00 00  |..`.............|

00000110  c8 02 00 00 00 00 00 00  00 00 20 00 00 00 00 00  |.......... .....|

00000120  02 00 00 00 06 00 00 00  08 1e 00 00 00 00 00 00  |................|

00000130  08 1e 60 00 00 00 00 00  08 1e 60 00 00 00 00 00  |..`.......`.....|

00000140  b0 01 00 00 00 00 00 00  b0 01 00 00 00 00 00 00  |................|

00000150  08 00 00 00 00 00 00 00  04 00 00 00 04 00 00 00  |................|

00000160  8c 02 00 00 00 00 00 00  8c 02 40 00 00 00 00 00  |..........@.....|

00000170  8c 02 40 00 00 00 00 00  20 00 00 00 00 00 00 00  |..@..... .......|

00000180  20 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  | ...............|

00000190  50 e5 74 64 04 00 00 00  b4 10 00 00 00 00 00 00  |P.td............|

000001a0  b4 10 40 00 00 00 00 00  b4 10 40 00 00 00 00 00  |..@.......@.....|

000001b0  34 00 00 00 00 00 00 00  34 00 00 00 00 00 00 00  |4.......4.......|

000001c0  04 00 00 00 00 00 00 00  51 e5 74 64 06 00 00 00  |........Q.td....|

000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

000001f0  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|

00000200  52 e5 74 64 04 00 00 00  e0 1d 00 00 00 00 00 00  |R.td............|

00000210  e0 1d 60 00 00 00 00 00  e0 1d 60 00 00 00 00 00  |..`.......`.....|

00000220  20 02 00 00 00 00 00 00  20 02 00 00 00 00 00 00  | ....... .......|

00000230  01 00 00 00 00 00 00 00  80 15 04 65 00 28 00 00  |...........e.(..|

00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000260  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|

00000270  2f 6c 69 62 36 34 2f 6c  64 2d 6c 69 6e 75 78 2d  |/lib64/ld-linux-|

00000280  78 38 36 2d 36 34 2e 73  6f 2e 32 00 04 00 00 00  |x86-64.so.2.....|

00000290  10 00 00 00 01 00 00 00  47 4e 55 00 00 00 00 00  |........GNU.....|

000002a0  02 00 00 00 06 00 00 00  09 00 00 00 00 00 00 00  |................|

000002b0  3b 00 00 00 24 00 00 00  15 00 00 00 1f 00 00 00  |;...$...........|

000002c0  00 00 00 00 00 00 00 00  00 00 00 00 0a           |.............|

000002cd
```

----------

## turtles

can you pastbin the original?

what type of machine was it written for?

----------

## BitJam

I now think it is benign.  I think it is a bug in Perl (or elsewhere?).  It copies the Perl binary instead of file that is supposed to be output.   I think the file handles are getting mixed up.

I re-installed Perl and there was no change.   It seems to be triggered by certain path/filenames of the little Perl script.  OTOH, if I create  the same file and directory structure elsewhere, I can't reproduce the bug.  The bug seems to depend only on the path/filename of the script.  A buggy script will reproduce the bug regardless of the name of the input file or even with input from stdin.

When I reinstall Perl, the md5sum of the binary changes but the length stays the same, which is expected.  The bug remains and the new Perl binary gets copied to stdout.  I use Perl all the time and it does not seem to be unreliable.  I think this is a rare bug.  Although I wonder if this is what caused Spam Assassin to go haywire.

This is on an amd-64 system.

----------

## limn

This did not sound like a virus. More like an inode confusion from your crashes.

----------

