CTX (computer virus)

CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.

In March 2006, CTX was in the news again due to a false positive in the McAfee VirusScan program that caused CTX detections in a range of innocuous files.

Simbiosis Project and "Biocoding"
The CTX virus originated as part of the "Simbiosis (sic) Project". The Simbiosis Project was an early attempt by the 29A virus writers group to combine Windows file infectors with Windows mass-mailing worms. This 'Project' was an attempt to see how successful this previously rare synthesis of malware threats was. Cholera/CTX is the only documented virus involved in the Simbiosis Project. Although CTX did gain some spread in the wild, this was remarkably more related to its file infection functions than the Cholera mass-mailing function.

CTX was also a member of the "BioCoded" string of viruses. The "BioCoded" string seemed to have little to do with each other beyond being named after biological viruses. Other members of this group include Marburg, Dengue, HPS, the latter of which is a reference to Hantavirus Pulmonary Syndrome. All "BioCoded" viruses have been listed on the WildList, including CTX. Despite their threatening names, CTX and all BioCoded viruses have no payload beyond graphics and, in some cases, deleting antivirus programs.

Function of Cholera Worm
By today's standards, Cholera is a fairly unremarkable mass-mailing worm, written in C++. However, Cholera was remarkable at its creation for its use of its own SMTP server. Unlike most worms of the day, which relied on installations of Microsoft Outlook or similar email programs, Cholera was capable of sending its own mails through internal mechanisms. Cholera sends its emails with the attachment SETUP.EXE, of 49,187 bytes in size. Emails are collected from files on the infected computer's hard drive. Cholera only spreads when another Internet-using application is open, to avoid detection in a time when dial-up modems were standard.

When SETUP.EXE is executed, Cholera displays the fake error, "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again."

Cholera is also a network worm, inserting itself into the Windows folders of computers available through Network Neighborhood.

Finally, Cholera will add itself to either WIN.INI (Windows 95 and similar flavours) or the Registry (Windows NT and similar flavours).

CTX infection routine
Upon execution, whether from an infected file or the Cholera dropper, CTX will check to see if its payload routine should activate (see Payload). If not, CTX will infect EXE files. CTX has a polymorphic nature, which is neither particularly simple or complex in nature. CTX also obscures the entry point of files to avoid detection. The virus avoids infecting more than five files in a given folder to avoid detection. Files infecting with CTX are padded to a multiple of 101 bytes to avoid re-infections.

Payload
CTX has a non-destructive payload which rarely activates. If a file is executed exactly six months to the hour after infection, and the video requirements are sufficient, CTX will go into an infinite loop of inverting the desktop colours.

Prevalence
The WildList, an organization tracking computer viruses, included CTX on its list of threats found in the field from November 2001 to May 2005.

McAfee false positive
On 17 March 2006, McAfee, makers of VirusScan, announced that a false positive had caused the CTX virus to be detected in a number of common, innocent files, including Microsoft Excel. McAfee posted a list of affected files on their web site here.