|Place of Origin||Madrid, Spain|
|Infection Length||6,886 bytes|
CTX is usually first activated by the Cholera worm that carries it onto a system. When executed, the virus decrypts itself several times then executes the rest of itself. The virus uses a checksum to see if it was decrypted correctly. If not, it hangs the process, otherwise it continues.
The virus searches for PE files in the current directory as well as the Windows and System directories. It will not infect more than 5 files in each directory at once. CTX avoids infecting files with the character strings 'DR', 'PA', 'RO', 'VI', 'AV', 'TO', 'CA', 'IN' and 'MS' in their names. It also checks if the system is Windows 2000, and if so, avoids files protected by the System File Check. Along with these, it avoids files whose file size can be evenly divided by 101.
It looks for "cavities" in the .exe files. Typically these are long strings of zeroes, strings of 0xCC that C compilers use for instruction alignment or other data whose removal is of no consequence to the functionality of the executable. It copies its code into these cavities, overwriting them. It will append itself if it can't find any suitable cavities.
The virus contains strings of text that are never displayed, as the virus is encrypted.
CTX Phage Virus Bio Coded by GriYo / 29A Disclaimer: This software has been designed for research purposes only. The author is not responsible for any problems caused due to improper or illegal usage of it
Some researchers considered CTX to be an updated version of Griyo's previous viruses, Marburg and Parvo. It had much of the same functionality and the main difference was that it was updated for the Windows NT environment.
At least one subsequent virus by Griyo, Dengue, was pretty similar. One of its primary differences was memory residency.
CTX was reported to have been released by the author, however users never sent any samples to antivirus companies.
Griyo. 29A Magazine, Issue 4, Win32.CTX Phage.
Peter Szor. Symantec, W32.CTX and W32.Cholera. 2007.07.13
-. The Art of Computer Virus Research and Defense, , pp. 262-264. Addison Wesley, Symantec Press, 2005.
Kaspersky Lab. SecureList.com, Virus.Win32.CTX.10853.