CTX is a

computer virus A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and Code injection, inserting its own Computer language, code into those programs. If this replication succeeds, the affected areas ...

created in

Spain Spain, or the Kingdom of Spain, is a country in Southern Europe, Southern and Western Europe with territories in North Africa. Featuring the Punta de Tarifa, southernmost point of continental Europe, it is the largest country in Southern Eur ...

in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries. In March 2006, CTX was in the news again due to a

false positive A false positive is an error in binary classification in which a test result incorrectly indicates the presence of a condition (such as a disease when the disease is not present), while a false negative is the opposite error, where the test resu ...

in the

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American proprietary software company focused on online ...

'' VirusScan'' program that caused CTX detections in a range of innocuous files.

Simbiosis Project and "Biocoding"

The CTX virus originated as part of the "Simbiosis (sic) Project". The Simbiosis Project was an early attempt by the 29A virus writers group to combine Windows file infectors with Windows mass-mailing worms. This 'Project' was an attempt to see how successful this previously rare synthesis of malware threats was. Cholera/CTX is the only documented virus involved in the Simbiosis Project. Although CTX did gain some spread in the wild, this was remarkably more related to its file infection functions than the Cholera mass-mailing function. CTX was also a member of the "BioCoded" string of viruses. The "BioCoded" string seemed to have little to do with each other beyond being named after biological viruses. Other members of this group include Marburg, Dengue, HPS, the latter of which is a reference to

Hantavirus Pulmonary Syndrome Hantavirus pulmonary syndrome (HPS), also called hantavirus cardiopulmonary syndrome (HCPS), is a severe respiratory disease caused by hantaviruses. The main features of illness are microvascular leakage and acute respiratory distress syndrome. S ...

. All "BioCoded" viruses have been listed on th
WildList
, including CTX. Despite their threatening names, CTX and all BioCoded viruses have no

payload Payload is the object or the entity that is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of t ...

beyond graphics and, in some cases, deleting antivirus programs.

Function of Cholera Worm

By today's standards, Cholera is a fairly unremarkable mass-mailing worm, written in C++. However, Cholera was remarkable at its creation for its use of its own

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typi ...

server. Unlike most worms of the day, which relied on installations of

Microsoft Outlook Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites. Primarily popular as an email client for businesses, Outlook also includes functions such as Calendari ...

or similar email programs, Cholera was capable of sending its own mails through internal mechanisms. Cholera sends its emails with the attachment SETUP.EXE, of 49,187 bytes in size. Emails are collected from files on the infected computer's hard drive. Cholera only spreads when another Internet-using application is open, to avoid detection in a time when

dial-up Dial-up Internet access is a form of Internet access that uses the facilities of the public switched telephone network (PSTN) to establish a connection to an Internet service provider (ISP) by dialing a telephone number on a conventional telepho ...

modem The Democratic Movement (, ; MoDem ) is a centre to centre-right political party in France, whose main ideological trends are liberalism and Christian democracy, and that is characterised by a strong pro-Europeanist stance. MoDem was establis ...

s were standard. When SETUP.EXE is executed, Cholera displays the fake error, "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again." Cholera is also a network worm, inserting itself into the Windows folders of computers available through Network Neighborhood. Finally, Cholera will add itself to either WIN.INI (

Windows 95 Windows 95 is a consumer-oriented operating system developed by Microsoft and the first of its Windows 9x family of operating systems, released to manufacturing on July 14, 1995, and generally to retail on August 24, 1995. Windows 95 merged ...

and similar flavours) or the Registry (

Windows NT Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...

and similar flavours).

CTX infection routine

Upon execution, whether from an infected file or the Cholera dropper, CTX will check to see if its payload routine should activate (see Payload). If not, CTX will infect

EXE file For Microsoft Windows, OS/2, and DOS, .exe is the filename extension that denotes a file as being executable a computer program containing an entry point. In addition to being executable (adjective) such a file is often called an executable ( ...

s. CTX has a polymorphic nature, which is neither particularly simple or complex in nature. CTX also obscures the

entry point In computer programming, an entry point is the place in a program where the execution of a program begins, and where the program has access to command line arguments. To start a program's execution, the loader or operating system passes co ...

of files to avoid detection. The virus avoids infecting more than five files in a given folder to avoid detection. Files infecting with CTX are padded to a multiple of 101 bytes to avoid re-infections.

Payload

CTX has a non-destructive payload which rarely activates. If a file is executed exactly six months to the hour after infection, and the video requirements are sufficient, CTX will go into an infinite loop of inverting the desktop colours.

Prevalence

The WildList (), an organization tracking computer viruses, included CTX on its list of threats found in the field from November 2001 to May 2005.

McAfee false positive

On 17 March 2006,

, makers of '' VirusScan'', announced that a

had caused the CTX virus to be detected in a number of common, innocent files, including

Microsoft Excel Microsoft Excel is a spreadsheet editor developed by Microsoft for Microsoft Windows, Windows, macOS, Android (operating system), Android, iOS and iPadOS. It features calculation or computation capabilities, graphing tools, pivot tables, and a ...

. McAfee posted a list of affected files on their web site her

References

{{reflist

External links

McAfee - False positive informationRAV - CTXF-Secure - CTX and Cholera (Simbiosis)NewsFactor - McAfee Update Kills More Than VirusesThe Art of Computer Virus Research and DefenseThe New Age of Computer Virus and Their Detection
Email worms Windows file viruses