Win32/Stupid
Stupid
Type File virus
Creator VicodenES
Date Discovered JUL-1998
Place of Origin USA
Source Language Visual Basic
Platform MS Windows
File Type(s) .exe
Infection Length 27,648 bytes

Stupid is a Windows 32-bit companion virus coded in Visual Basic by VicodenES, who was best known for the Melissa virus. It is the first Visual Basic virus.

Behavior

When executed, Stupid checks for the presence of the file "dat0.exe" and creates it if it is not found. It creates a registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with the value "Vic = c:\\dat0.exe\" to ensure this this file will run when the user restarts the computer. If it is executed from the dat0.exe, it picks a random .exe file and copies it as a .com file. It then replaces the .exe file with a copy of itself. Stupid then looks for drives to infect. On drive A:, it creates a copy of itself named "Smile.exe" and sets the AUTOEXEC.BAT file to execute it when the disk is accessed.

Payload

stupid2k2.PNG
stupid2k1.PNG
stupid2k0.PNG

One of two payloads will display messages depending on the time and date of Stupid's execution. Both happen if the time is exactly 30 minutes after the hour and 16 seconds past the minute or less. If the day of the month is past the 15th, it displays a message with the title "Win32.Stupid", an exclamation mark icon, and a message of "DAMN!! This is *S T U P I D*". Any other time of the month, this payload will be a message box with a title of "Vic says…", a message of "Cameron Diaz is a goddess!", and a "Yes" and "No" button. If the user selects "Yes", the virus continues and displays no further messages. If the user says "No", it displays another message box with a title of "Win32.Stupid", an "X" icon, and the message "JERK!".

Origin

Stupid was completed by VicodenES in Visual Basic in July of 1998. It was his last work with the short-lived "The Narkotic Network" VX group and he had already joined Codebreakers in the previous month. In the next year, VicodenES would go on to create the Melissa virus. He wrote two versions of the virus, the second one had better comments. Neither use any kind of indentation to make them more readable and where commenting exists in the second version it is quite scant.

Stupid is a very common name for viruses and many other platforms have a virus named "Stupid", some even have more than one unrelated virus with that name. Though this one is not so bad, it often is given to Stupid that are poorly coded and can barely spread.

Sources

20cn.net, Win32.Stupid Commented code.

- , Win32.Stupid Original code.

VX Heaven (Archive), TNN (The Narkotic Network )

19981998_virusfile_virusfirstimagemade_in_usams_windowsms_windows_virusvicodenesvirusvirus_from_usawin32win32_virus
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License