W32.CTX and W32.Cholera

Printer Friendly Page

Discovered: September 19, 1999
Updated: February 13, 2007 11:33:12 AM
Also Known As: Win32/CTX.6889
Type: Virus

W32.CTX's current claim to fame is that the virus was released on a worm called W32.Cholera. Basically, the W32.Cholera worm is infected with the CTX virus making the worm a "dropper" of the virus itself..

Antivirus Protection Dates

  • Initial Rapid Release version December 15, 2000
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version December 15, 2000
  • Latest Daily Certified version September 28, 2010 revision 036

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Peter Szor

Discovered: September 19, 1999
Updated: February 13, 2007 11:33:12 AM
Also Known As: Win32/CTX.6889
Type: Virus

W32.Cholera is written in C. Many of the strings used in the worm are decrypted upon execution using the NOT instruction. The worm contains the following encrypted text:
CH0LERA - Bacterium BioCoded by GriYo / 29A

The worm is received by e-mail similarly to W32.ExploreZip. The attached file is MIME encoded and the name of the file is SETUP.EXE. When the worm is executed and the name of the file is SETUP.EXE (when the filename ends in "P"), it will display the following text in a message box:
Cannot open file: it does not appear to
be a valid archive.
If you download this file, try downloading
the file again.

Since the CTX virus is activated from the worm, the virus has already infected the machine when the message above appears on screen.
The worm is multi-threaded. When it is run for the first time, it executes only one of its threads. This thread will install the worm to all available Windows directories on the local machine (WINDOWS, WIN95, WIN98, WIN and WINNT) as long as a WIN.INI file is found in the same directory. The worm copies itself as RPCSRV.EXE to all of these locations and modifies the WIN.INI file of each Windows directory to load the worm on next reboot. If the local machine is Windows NT or Windows 2000, the WIN.INI modification will not take place since NT systems will redirect the request to the registry instead. (This is the main installation procedure of the worm, and it is very similar to W32.ExploreZip worm in its working mechanism so far.)
When the infected system is rebooted, the W32.CTX virus will look for new files to infect on the system first.
When the worm is executed as RPCSRV.EXE, the message box will not be displayed, and three threads will be executed in parallel. The first thread is the local installation described above.
On Windows 9x systems W32.Cholera registers itself as a service making the process hidden. On Windows NT systems the worm may not be noticed easily on the task list because there are many NT processes running with similar names such as TAPISRV.EXE and TPCHRSRV.EXE.
The second thread of the worm enumerates the connected network resources and copies itself to the Windows directories of all network drives with the RPCSRV.EXE name and modifies the WIN.INI files of those directories to load itself on next reboot.
The third thread of Cholera is a major one. This is the communication module of the worm. The tread enumerates the active windows (processes) and looks for names such as OUTLOOK, CUTEFTP, INTERNET EXPLO, TELNET, MIRC respectively. This is required to see if the computer is connected to the network, and if network activity will succeed.
The worm gets the local SMTP server's address from the registry then starts to communicate with the server by using the necessary protocol. (First it sends a "HELO" message, etc.) This thread of W32.Cholera searches the local drive for .HTM, .TXT, .EML, .DBX, .MBX, .NCH, and .IDX files in order to find e-mail addresses. These files are used by E-mail software applications such as Outlook, Eudora, etc. The worm sends a MIME encoded attachment, SETUP.EXE, to the e-mail addresses found in those files.
W32.CTX is the latest creation of GriYo, a virus writer from the Spanish 29A virus writing group. The 29A group has a long history in 32-bit Windows virus writing. This group created the first W32 virus, Cabanas, in 1997.
GriYo created several Windows 95 viruses and some multi-partite viruses also. Most of his creations are polymorphic and difficult to detect.
His earlier creations included the W95.Marburg virus, which is listed on the wildlist. W32.CTX is very similar if not based on GriYo's older creations. The polymorphic engine, like the replication mechanism of the virus, is almost the same with some small but important differences.
W32.CTX is able to replicate on Windows NT systems too, but it can be noticed easier on such systems since the virus infects some files where the checksum is checked during NT boot time and the infected system will not boot after some time.
W32.CTX is not in the wild. The virus writer released the virus, but so far we have not received samples of it from users.
W32.CTX is written is assembly. The virus is inserting polymorphic making the detection of the virus more complicated. CTX is a PE (Portable Executable) infector. The entry point of the infected files will not be changed during infection. Rather the virus modifies the code section of the host program and inserts a CALL to its polymorphic decryptor. The virus wants to avoid detection from first generation W32 heuristic engines this way.
If the decryptor of the virus gets control, the virus decrypts itself. The polymorphic decryptor decrypts the full virus body several times. Finally, the decrypted code is executed. Then, CTX checksums itself very similarly to the W32.Parvo virus (created by the same virus writer). If the checksum is incorrect, the virus will simply hang the process. Otherwise, it searches for the loaded KERNEL32.DLL in the process address space. The virus is able to find the loaded KERNEL32.DLL on Win9x, Windows NT and Windows 2000. When the loaded KERNEL32.DLL is detected, the virus locates the address of the "GetProcAddress" API in the loaded module. Then, it gets the addresses of 23 APIs (CreateFileA, CreateFileMapping, WriteProcessMemory, etc.) for its use. W32.CTX does not use API strings; it calculates the checksums of each API names in the loaded KERNEL32.DLL export table and compares them to its own CRC list.
If all the API addresses were found, the virus allocates memory, copies its code (around 8KB with the polymorphic decryptor) into the new block and jumps there.
The virus fixes 5 bytes in the code section of the host program that are replaced by a CALL to its original code. After CTX tries to replicate, it checks if the system is Windows 2000. If so, the virus avoids infecting files that are protected by the SFC (System File Check) application of Windows 2000.
SFC is a new feature of Windows 2000 which was designed to protect users from incompatibility problems caused by installers that drop incorrect DLL or EXE versions into the Windows system directories. It certainly is not a virus protection feature in its primary use.
CTX is a direct infector. It attempts to locate PE applications with .EXE extension in the current Windows and Windows system directories, and then proceeds to infect no more than five files in each directory. The virus does not infect files when the file size can be divided by 101 evenly. This is a standard method used by the 29A group in most of their creations.
The virus tries to avoid infecting some applications. The names of these files are stored as CRCs in the virus. Very likely these are anti-virus program names and other common applications that have some kind of self-check routines against virus infection. If the file is a SFC protected file, the virus does not infect it.
The virus appends itself to the last section if the PE file does not have relocations. Otherwise, it overwrites the relocation area and zeros the base relocation offset in the PE header. So the size of the infected file may not be bigger than its original size. CTX makes the last section of the PE host writable by modifying the corresponding section header characteristic field. During the infection, the virus uses file mapping which speeds up the infection.
The polymorphic decryptor is generated such that several decryption phases can occur. The number of phases is between 4 and 7. The virus searches the code section of the PE host for a possible API CALL and replaces it with a CALL to its decryptor. The virus removes the read only attribute from the file before infection and sets it back afterwards.
Basically, the W32.CTX virus is an update of a combination of Marburg and Parvo code with new functionality designed for Windows NT systems.
The virus contains the following encrypted text, which is never displayed:
CTX Phage Virus Bio Coded by GriYo / 29A Disclaimer:

This software has been designed for research purposes only. The author is not responsible for any problems caused due to improper or illegal usage of it


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Peter Szor

Discovered: September 19, 1999
Updated: February 13, 2007 11:33:12 AM
Also Known As: Win32/CTX.6889
Type: Virus

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:

Writeup By: Peter Szor