Idoneus | |
---|---|
Type | File virus |
Creator | retro |
Date Discovered | 2005.10.14 |
Place of Origin | The United Kingdom |
Source Language | |
Platform | MS Windows with .NET |
File Type(s) | .exe |
Infection Length |
Idoneus is a .NET virus by Retro. It is a simple direct action infector and overwriter. The virus has some similarities to to DotNET.
Behavior
When Idoneus is executed, it makes a copy of itself to a random folder in the C: drive. It creates the registry key "HKEY_CURRENT_USER\SOFTWARE\Retro" and adds "Idoneus = [path to file]" to the key. It checks for .exe files in the current folder and overwrites them with a copy of itself.
The virus displays text if WinFX Runtime Component is installed:
Idoneus by Retro/rRlf
http: // retro .hosk .sk
http: // www .rrlf .de .vu
GeNeTiX is EVIL!
Origin
Idoneus was coded in late fall of 2005 by retro in the United Kingdom. Some antivirus products describe it as a variant of Benny's DotNET, though this may be because use of the platform at the time was very rare for any malware.
It was among a group of viruses the Ready Rangers Liberation Front publicized as the first Vista viruses. The earlier viruses, Cibyz and Danom were in fact PowerShell viruses and Idoneus itself was a .NET virus. One researcher speculated that retro intended to code Idoneus as a prepender, but instead released it as an overwriter since it takes less time to code.
Name
The word Idoneus is Latin for "suitable" or "worthy". Many antivirus products refer to it as Donut.B because of some similarities between this virus and DotNET (also called Donut by antivirus companies). It has also been called "Idonus", "Usined" and "Neusido".
Other Facts
Genetix, referred to in some text in the virus, can refer to a few different things, and which one is not entirely certain. One is a fictional super hero team. Another is a Turing-complete virtual machine coded in 34 instructions. It is also the name of a virus coder living in Finland. This genetix appeared some time in 2005, and genetix herself even sent a greet to him (among others) in a 2013 interview.
Sources
Costin Ionescu. Symantec.com, MSIL.Idonus. 2007.02.13
Peter Ferrie. Virus Bulletin, Not worthy. 2006.02
Second Part to Hell. DarK CodeZ #5, Interview with genetix. 2013.07