CTX (computer Virus)
   HOME

TheInfoList



Click Here for Items Related To - CTX (computer Virus)
OR:
CTX (computer Virus) on:   [Wikipedia]   [Google]   [Amazon]

CTX is a
computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...
created in
Spain , image_flag = Bandera de España.svg , image_coat = Escudo de España (mazonado).svg , national_motto = ''Plus ultra'' (Latin)(English: "Further Beyond") , national_anthem = (English: "Royal March") , i ...
in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries. In March 2006, CTX was in the news again due to a
false positive A false positive is an error in binary classification in which a test result incorrectly indicates the presence of a condition (such as a disease when the disease is not present), while a false negative is the opposite error, where the test result ...
in the
McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
'' VirusScan'' program that caused CTX detections in a range of innocuous files.


Simbiosis Project and "Biocoding"

The CTX virus originated as part of the "Simbiosis (sic) Project". The Simbiosis Project was an early attempt by the 29A virus writers group to combine Windows file infectors with Windows mass-mailing worms. This 'Project' was an attempt to see how successful this previously rare synthesis of malware threats was. Cholera/CTX is the only documented virus involved in the Simbiosis Project. Although CTX did gain some spread in the wild, this was remarkably more related to its file infection functions than the Cholera mass-mailing function. CTX was also a member of the "BioCoded" string of viruses. The "BioCoded" string seemed to have little to do with each other beyond being named after biological viruses. Other members of this group include Marburg, Dengue, HPS, the latter of which is a reference to
Hantavirus Pulmonary Syndrome Hantavirus pulmonary syndrome (HPS) is one of two potentially fatal syndromes of zoonotic origin caused by species of hantavirus. These include Black Creek Canal virus (BCCV), New York orthohantavirus (NYV), Monongahela virus (MGLV), ''Sin Nomb ...
. All "BioCoded" viruses have been listed on th
WildList
, including CTX. Despite their threatening names, CTX and all BioCoded viruses have no
payload Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...
beyond graphics and, in some cases, deleting antivirus programs.


Function of Cholera Worm

By today's standards, Cholera is a fairly unremarkable mass-mailing worm, written in
C++ C++ (pronounced "C plus plus") is a high-level general-purpose programming language created by Danish computer scientist Bjarne Stroustrup as an extension of the C programming language, or "C with Classes". The language has expanded significan ...
. However, Cholera was remarkable at its creation for its use of its own
SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...
server. Unlike most worms of the day, which relied on installations of
Microsoft Outlook Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft Office and Microsoft 365 software suites. Though primarily an email client, Outlook also includes such functions as Calen ...
or similar email programs, Cholera was capable of sending its own mails through internal mechanisms. Cholera sends its emails with the attachment SETUP.EXE, of 49,187 bytes in size. Emails are collected from files on the infected computer's hard drive. Cholera only spreads when another Internet-using application is open, to avoid detection in a time when
dial-up Dial-up Internet access is a form of Internet access that uses the facilities of the public switched telephone network (PSTN) to establish a connection to an Internet service provider (ISP) by dialing a telephone number on a conventional telepho ...
modem A modulator-demodulator or modem is a computer hardware device that converts data from a digital format into a format suitable for an analog transmission medium such as telephone or radio. A modem transmits data by Modulation#Digital modulati ...
s were standard. When SETUP.EXE is executed, Cholera displays the fake error, "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again." Cholera is also a network worm, inserting itself into the Windows folders of computers available through
Network Neighborhood My Network Places (formerly Network Neighborhood) is the network browser feature in Windows Explorer. It was first introduced in Windows 95 and Windows NT 4.0 and was renamed My Network Places in Windows 2000 and later. My Network Places maintain ...
. Finally, Cholera will add itself to either
WIN.INI WIN.INI is a basic INI file that was used in versions of the Microsoft Windows operating environment up to Windows 3.11 to store basic settings at boot time. By default, all font, communications drivers, wallpaper, screen saver, and language set ...
(
Windows 95 Windows 95 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of operating systems. The first operating system in the 9x family, it is the successor to Windows 3.1x, and was released to manufacturin ...
and similar flavours) or the
Registry Registry may refer to: Computing * Container registry, an operating-system-level virtualization registry * Domain name registry, a database of top-level internet domain names * Local Internet registry * Metadata registry, information system for re ...
(
Windows NT Windows NT is a proprietary graphical operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems sc ...
and similar flavours).


CTX infection routine

Upon execution, whether from an infected file or the Cholera dropper, CTX will check to see if its payload routine should activate (see Payload). If not, CTX will infect EXE files. CTX has a polymorphic nature, which is neither particularly simple or complex in nature. CTX also obscures the
entry point In computer programming, an entry point is the place in a program where the execution of a program begins, and where the program has access to command line arguments. To start a program's execution, the loader or operating system passes contro ...
of files to avoid detection. The virus avoids infecting more than five files in a given folder to avoid detection. Files infecting with CTX are padded to a multiple of 101 bytes to avoid re-infections.


Payload

CTX has a non-destructive payload which rarely activates. If a file is executed exactly six months to the hour after infection, and the video requirements are sufficient, CTX will go into an infinite loop of inverting the desktop colours.


Prevalence

The WildList (), an organization tracking computer viruses, included CTX on its list of threats found in the field from November 2001 to May 2005.


McAfee false positive

On 17 March 2006,
McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
, makers of '' VirusScan'', announced that a
false positive A false positive is an error in binary classification in which a test result incorrectly indicates the presence of a condition (such as a disease when the disease is not present), while a false negative is the opposite error, where the test result ...
had caused the CTX virus to be detected in a number of common, innocent files, including
Microsoft Excel Microsoft Excel is a spreadsheet developed by Microsoft for Microsoft Windows, Windows, macOS, Android (operating system), Android and iOS. It features calculation or computation capabilities, graphing tools, pivot tables, and a macro (comp ...
. McAfee posted a list of affected files on their web site her


References

{{reflist


External links


McAfee - False positive informationRAV - CTXF-Secure - CTX and Cholera (Simbiosis)NewsFactor - McAfee Update Kills More Than VirusesThe Art of Computer Virus Research and DefenseThe New Age of Computer Virus and Their Detection
Email worms Windows file viruses