CTX (computer virus)
Encyclopedia
CTX is a computer virus
created in Spain
in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.
In March 2006, CTX was in the news again due to a false positive in the McAfee
VirusScan program that caused CTX detections in a range of innocuous files.
CTX was also a member of the "BioCoded" string of viruses. The "BioCoded" string seemed to have little to do with each other beyond being named after biological viruses. Other members of this group include Marburg, Dengue, HPS, the latter of which is a reference to Hantavirus Pulmonary Syndrome
. All "BioCoded" viruses have been listed on the WildList, including CTX. Despite their threatening names, CTX and all BioCoded viruses have no payload
beyond graphics and, in some cases, deleting antivirus programs.
. However, Cholera was remarkable at its creation for its use of its own SMTP server. Unlike most worms of the day, which relied on installations of Microsoft Outlook
or similar email programs, Cholera was capable of sending its own mails through internal mechanisms. Cholera sends its emails with the attachment SETUP.EXE, of 49,187 bytes in size. Emails are collected from files on the infected computer's hard drive. Cholera only spreads when another Internet-using application is open, to avoid detection in a time when dial-up modem
s were standard.
When SETUP.EXE is executed, Cholera displays the fake error, "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again."
Cholera is also a network worm, inserting itself into the Windows folders of computers available through Network Neighborhood.
Finally, Cholera will add itself to either WIN.INI
(Windows 95
and similar flavours) or the Registry
(Windows NT
and similar flavours).
nature, which is neither particularly simple or complex in nature. CTX also obscures the entry point of files to avoid detection. The virus avoids infecting more than five files in a given folder to avoid detection. Files infecting with CTX are padded to a multiple of 101 bytes to avoid re-infections.
, makers of VirusScan, announced that a false positive had caused the CTX virus to be detected in a number of common, innocent files, including Microsoft Excel
. McAfee posted a list of affected files on their web site herehttp://vil.nai.com/images/CTX_file_list.pdf.
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
created in Spain
Spain
Spain , officially the Kingdom of Spain languages]] under the European Charter for Regional or Minority Languages. In each of these, Spain's official name is as follows:;;;;;;), is a country and member state of the European Union located in southwestern Europe on the Iberian Peninsula...
in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.
In March 2006, CTX was in the news again due to a false positive in the McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
VirusScan program that caused CTX detections in a range of innocuous files.
Simbiosis Project and "Biocoding"
The CTX virus originated as part of the "Simbiosis (sic) Project". The Simbiosis Project was an early attempt by the 29A virus writers group to combine Windows file infectors with Windows mass-mailing worms. This 'Project' was an attempt to see how successful this previously rare synthesis of malware threats was. Cholera/CTX is the only documented virus involved in the Simbiosis Project. Although CTX did gain some spread in the wild, this was remarkably more related to its file infection functions than the Cholera mass-mailing function.CTX was also a member of the "BioCoded" string of viruses. The "BioCoded" string seemed to have little to do with each other beyond being named after biological viruses. Other members of this group include Marburg, Dengue, HPS, the latter of which is a reference to Hantavirus Pulmonary Syndrome
Hantavirus
Hantaviruses are negative sense RNA viruses in the Bunyaviridae family. Humans may be infected with hantaviruses through rodent bites, urine, saliva or contact with rodent waste products...
. All "BioCoded" viruses have been listed on the WildList, including CTX. Despite their threatening names, CTX and all BioCoded viruses have no payload
Payload (software)
Payload in computing is the cargo of a data transmission. It is the part of the transmitted data which is the fundamental purpose of the transmission, to the exclusion of information sent with it solely to facilitate delivery.In computer security, payload refers to the...
beyond graphics and, in some cases, deleting antivirus programs.
Function of Cholera Worm
By today's standards, Cholera is a fairly unremarkable mass-mailing worm, written in C++C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
. However, Cholera was remarkable at its creation for its use of its own SMTP server. Unlike most worms of the day, which relied on installations of Microsoft Outlook
Microsoft Outlook
Microsoft Outlook is a personal information manager from Microsoft, available both as a separate application as well as a part of the Microsoft Office suite...
or similar email programs, Cholera was capable of sending its own mails through internal mechanisms. Cholera sends its emails with the attachment SETUP.EXE, of 49,187 bytes in size. Emails are collected from files on the infected computer's hard drive. Cholera only spreads when another Internet-using application is open, to avoid detection in a time when dial-up modem
Modem
A modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
s were standard.
When SETUP.EXE is executed, Cholera displays the fake error, "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again."
Cholera is also a network worm, inserting itself into the Windows folders of computers available through Network Neighborhood.
Finally, Cholera will add itself to either WIN.INI
WIN.INI
WIN.INI is a basic INI file that was used in versions of the Microsoft Windows operating environment up to Windows 3.11 to store basic settings at boot time. By default, all font, communications drivers, wallpaper, screen saver, and language settings were stored in WIN.INI by Windows 3.x...
(Windows 95
Windows 95
Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
and similar flavours) or the Registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
(Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
and similar flavours).
CTX infection routine
Upon execution, whether from an infected file or the Cholera dropper, CTX will check to see if its payload routine should activate (see Payload). If not, CTX will infect EXE files. CTX has a polymorphicPolymorphic code
In computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code will not change at all...
nature, which is neither particularly simple or complex in nature. CTX also obscures the entry point of files to avoid detection. The virus avoids infecting more than five files in a given folder to avoid detection. Files infecting with CTX are padded to a multiple of 101 bytes to avoid re-infections.
Payload
CTX has a non-destructive payload which rarely activates. If a file is executed exactly six months to the hour after infection, and the video requirements are sufficient, CTX will go into an infinite loop of inverting the desktop colours.Prevalence
The WildList, an organization tracking computer viruses, included CTX on its list of threats found in the field from November 2001 to May 2005.McAfee false positive
On 17 March 2006, McAfeeMcAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
, makers of VirusScan, announced that a false positive had caused the CTX virus to be detected in a number of common, innocent files, including Microsoft Excel
Microsoft Excel
Microsoft Excel is a proprietary commercial spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications...
. McAfee posted a list of affected files on their web site herehttp://vil.nai.com/images/CTX_file_list.pdf.