HOME

TheInfoList



Click Here for Items Related To - CTX (computer Virus)
OR:
CTX (computer Virus) on:   [Wikipedia]   [Google]   [Amazon]

CTX is a
computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...
created in
Spain , image_flag = Bandera de España.svg , image_coat = Escudo de España (mazonado).svg , national_motto = '' Plus ultra'' ( Latin)(English: "Further Beyond") , national_anthem = (English: "Royal March") , ...
in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries. In March 2006, CTX was in the news again due to a
false positive A false positive is an error in binary classification in which a test result incorrectly indicates the presence of a condition (such as a disease when the disease is not present), while a false negative is the opposite error, where the test resul ...
in the
McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
''
VirusScan McAfee VirusScan is an antivirus software created and maintained by McAfee (formerly known as Intel Security, and Network Associates prior to that). Originally marketed as a standalone product, it has been bundled with McAfee LiveSafe, McAfee ...
'' program that caused CTX detections in a range of innocuous files.


Simbiosis Project and "Biocoding"

The CTX virus originated as part of the "Simbiosis (sic) Project". The Simbiosis Project was an early attempt by the 29A virus writers group to combine Windows file infectors with Windows mass-mailing worms. This 'Project' was an attempt to see how successful this previously rare synthesis of malware threats was. Cholera/CTX is the only documented virus involved in the Simbiosis Project. Although CTX did gain some spread in the wild, this was remarkably more related to its file infection functions than the Cholera mass-mailing function. CTX was also a member of the "BioCoded" string of viruses. The "BioCoded" string seemed to have little to do with each other beyond being named after biological viruses. Other members of this group include Marburg, Dengue, HPS, the latter of which is a reference to
Hantavirus Pulmonary Syndrome Hantavirus pulmonary syndrome (HPS) is one of two potentially fatal syndromes of zoonotic origin caused by species of hantavirus. These include Black Creek Canal virus (BCCV), New York orthohantavirus (NYV), Monongahela virus (MGLV), '' Sin N ...
. All "BioCoded" viruses have been listed on th
WildList
, including CTX. Despite their threatening names, CTX and all BioCoded viruses have no
payload Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...
beyond graphics and, in some cases, deleting antivirus programs.


Function of Cholera Worm

By today's standards, Cholera is a fairly unremarkable mass-mailing worm, written in C++. However, Cholera was remarkable at its creation for its use of its own
SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typic ...
server. Unlike most worms of the day, which relied on installations of
Microsoft Outlook Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft Office and Microsoft 365 software suites. Though primarily an email client, Outlook also includes such functions as c ...
or similar email programs, Cholera was capable of sending its own mails through internal mechanisms. Cholera sends its emails with the attachment SETUP.EXE, of 49,187 bytes in size. Emails are collected from files on the infected computer's hard drive. Cholera only spreads when another Internet-using application is open, to avoid detection in a time when
dial-up Dial-up Internet access is a form of Internet access that uses the facilities of the public switched telephone network (PSTN) to establish a connection to an Internet service provider (ISP) by dialing a telephone number on a conventional telepho ...
modem A modulator-demodulator or modem is a computer hardware device that converts data from a digital format into a format suitable for an analog transmission medium such as telephone or radio. A modem transmits data by modulating one or more c ...
s were standard. When SETUP.EXE is executed, Cholera displays the fake error, "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again." Cholera is also a
network worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
, inserting itself into the Windows folders of computers available through
Network Neighborhood My Network Places (formerly Network Neighborhood) is the network browser feature in Windows Explorer. It was first introduced in Windows 95 and Windows NT 4.0 and was renamed My Network Places in Windows 2000 and later. My Network Places maintains ...
. Finally, Cholera will add itself to either
WIN.INI WIN.INI is a basic INI file that was used in versions of the Microsoft Windows operating environment up to Windows 3.11 to store basic settings at boot time. By default, all font, communications drivers, wallpaper, screen saver, and language set ...
(
Windows 95 Windows 95 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of operating systems. The first operating system in the 9x family, it is the successor to Windows 3.1x, and was released to manufactu ...
and similar flavours) or the
Registry Registry may refer to: Computing * Container registry, an operating-system-level virtualization registry * Domain name registry, a database of top-level internet domain names * Local Internet registry * Metadata registry, information system for re ...
(
Windows NT Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system. The first version of Wi ...
and similar flavours).


CTX infection routine

Upon execution, whether from an infected file or the Cholera dropper, CTX will check to see if its payload routine should activate (see Payload). If not, CTX will infect
EXE file .exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows, OS/2, and DOS. File formats There are numerous file formats which may be used by a file with a extensio ...
s. CTX has a polymorphic nature, which is neither particularly simple or complex in nature. CTX also obscures the
entry point In computer programming, an entry point is the place in a program where the execution of a program begins, and where the program has access to command line arguments. To start a program's execution, the loader or operating system passes c ...
of files to avoid detection. The virus avoids infecting more than five files in a given folder to avoid detection. Files infecting with CTX are padded to a multiple of 101 bytes to avoid re-infections.


Payload

CTX has a non-destructive payload which rarely activates. If a file is executed exactly six months to the hour after infection, and the video requirements are sufficient, CTX will go into an infinite loop of inverting the desktop colours.


Prevalence

The WildList (), an organization tracking computer viruses, included CTX on its list of threats found in the field from November 2001 to May 2005.


McAfee false positive

On 17 March 2006,
McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
, makers of ''
VirusScan McAfee VirusScan is an antivirus software created and maintained by McAfee (formerly known as Intel Security, and Network Associates prior to that). Originally marketed as a standalone product, it has been bundled with McAfee LiveSafe, McAfee ...
'', announced that a
false positive A false positive is an error in binary classification in which a test result incorrectly indicates the presence of a condition (such as a disease when the disease is not present), while a false negative is the opposite error, where the test resul ...
had caused the CTX virus to be detected in a number of common, innocent files, including
Microsoft Excel Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS. It features calculation or computation capabilities, graphing tools, pivot tables, and a macro programming language called Visual Basic for ...
. McAfee posted a list of affected files on their web site her


References

{{reflist


External links


McAfee - False positive informationRAV - CTXF-Secure - CTX and Cholera (Simbiosis)NewsFactor - McAfee Update Kills More Than VirusesThe Art of Computer Virus Research and DefenseThe New Age of Computer Virus and Their Detection
Email worms Windows file viruses