Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: Win32/CTX, Win32.CTX.6886, W32/Cholera

Win32/CTX.6889.A is a polymorphic virus attacking executable files of the format Portable Executable (PE). It is written in assembler and it uses Entry Point Obscuring (EPO) technique to make its detection more difficult.

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

The virus attacks files with the extension .EXE of PE format in the current directory, in the directory %windir% and %windir%/System. The virus does not attack files in the root directory, files with set system attribute and files with length divisible by the number 101. The reason is that the virus uses length of file which is divisible by the number 101 to mark already infected files. Moreover, the virus does not attack files with filenames similar to some anti-virus programs. When the virus checks presence of the strings in filenames it does not test them by comparison of characters in the filename but by means of check sum CRC32. The virus checks presence of strings DR, PA, RO, VI, AV, TO, CA, IN and M in filenames.
The virus contains an activating routine which gets started 6 months after a file was attacked. The activating routine inverts colours on the screen. In the virus body is the following text string:

[ CTX Phage Virus BioCoded by GriYo / 29A Disclaimer: This software has been designed for research purposes only. The author is not responsible for any problems caused due to improper or illegal usage of it ]

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.