Idoneus
Idoneus
Type File virus
Creator retro
Date Discovered 2005.10.14
Place of Origin The United Kingdom
Source Language
Platform MS Windows with .NET
File Type(s) .exe
Infection Length

Idoneus is a .NET virus by Retro. It is a simple direct action infector and overwriter. The virus has some similarities to to DotNET.

Behavior

When Idoneus is executed, it makes a copy of itself to a random folder in the C: drive. It creates the registry key "HKEY_CURRENT_USER\SOFTWARE\Retro" and adds "Idoneus = [path to file]" to the key. It checks for .exe files in the current folder and overwrites them with a copy of itself.

The virus displays text if WinFX Runtime Component is installed:

Idoneus by Retro/rRlf 
http: // retro .hosk .sk 
http: // www .rrlf .de .vu
GeNeTiX is EVIL!

Origin

Idoneus was coded in late fall of 2005 by retro in the United Kingdom. Some antivirus products describe it as a variant of Benny's DotNET, though this may be because use of the platform at the time was very rare for any malware.

It was among a group of viruses the Ready Rangers Liberation Front publicized as the first Vista viruses. The earlier viruses, Cibyz and Danom were in fact PowerShell viruses and Idoneus itself was a .NET virus. One researcher speculated that retro intended to code Idoneus as a prepender, but instead released it as an overwriter since it takes less time to code.

Name

The word Idoneus is Latin for "suitable" or "worthy". Many antivirus products refer to it as Donut.B because of some similarities between this virus and DotNET (also called Donut by antivirus companies). It has also been called "Idonus", "Usined" and "Neusido".

Other Facts

Genetix, referred to in some text in the virus, can refer to a few different things, and which one is not entirely certain. One is a fictional super hero team. Another is a Turing-complete virtual machine coded in 34 instructions. It is also the name of a virus coder living in Finland. This genetix appeared some time in 2005, and genetix herself even sent a greet to him (among others) in a 2013 interview.

Sources

Costin Ionescu. Symantec.com, MSIL.Idonus. 2007.02.13

Peter Ferrie. Virus Bulletin, Not worthy. 2006.02

Second Part to Hell. DarK CodeZ #5, Interview with genetix. 2013.07

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License