|Place of Origin||The United Kingdom|
|Platform||MS Windows with .NET|
When Idoneus is executed, it makes a copy of itself to a random folder in the C: drive. It creates the registry key "HKEY_CURRENT_USER\SOFTWARE\Retro" and adds "Idoneus = [path to file]" to the key. It checks for .exe files in the current folder and overwrites them with a copy of itself.
The virus displays text if WinFX Runtime Component is installed:
Idoneus by Retro/rRlf http: // retro .hosk .sk http: // www .rrlf .de .vu GeNeTiX is EVIL!
Idoneus was coded in late fall of 2005 by retro in the United Kingdom. Some antivirus products describe it as a variant of Benny's DotNET, though this may be because use of the platform at the time was very rare for any malware.
It was among a group of viruses the Ready Rangers Liberation Front publicized as the first Vista viruses. The earlier viruses, Cibyz and Danom were in fact PowerShell viruses and Idoneus itself was a .NET virus. One researcher speculated that retro intended to code Idoneus as a prepender, but instead released it as an overwriter since it takes less time to code.
The word Idoneus is Latin for "suitable" or "worthy". Many antivirus products refer to it as Donut.B because of some similarities between this virus and DotNET (also called Donut by antivirus companies). It has also been called "Idonus", "Usined" and "Neusido".
Genetix, referred to in some text in the virus, can refer to a few different things, and which one is not entirely certain. One is a fictional super hero team. Another is a Turing-complete virtual machine coded in 34 instructions. It is also the name of a virus coder living in Finland. This genetix appeared some time in 2005, and genetix herself even sent a greet to him (among others) in a 2013 interview.
Costin Ionescu. Symantec.com, MSIL.Idonus. 2007.02.13
Peter Ferrie. Virus Bulletin, Not worthy. 2006.02
Second Part to Hell. DarK CodeZ #5, Interview with genetix. 2013.07