| Xanax | |
|---|---|
| Type | Multi-vector virus |
| Creator | Gigabyte |
| Date Discovered | 2001.03 |
| Place of Origin | Mechelen, Belgium |
| Source Language | C++ |
| Platform | MS Windows |
| File Type(s) | |
| Infection Length | 33,792 bytes |
Xanax is a virus/worm coded by Gigabyte that spreads through email and IRC. In addition to spreading over email and IRC like a worm, it also acts like a virus, infecting files. Some antivirus products detect it as a variant of Scrambler, to which it has some similarities.
Behavior
Xanax arrives in an email with the subject line "Stressed? Try Xanax!". The attachment is "Xanax.exe". The email body is:
Hi there! Are you so stressed that it makes you ill? You're not alone!
Many people suffer from stress, these days. Maybe you find Prozac too
strong? Then you NEED to try Xanax, it's milder. Still not convinced?
Check out the medical details in the attached file. Xanax might change
your life!
When executed, the virus looks for .exe files in the Windows directory. It avoids files beginning with the letters E, P, R, S, T and W. Xanax prepends itself to the beginning of the files it infects. It copies itself to the Windows system folder as Xanax.exe and XANSTART.EXE. It adds the XANSTART.EXE file to a local machine run key so it will run whenever Windows starts.
It also adds the file HOSTFILE.EXE to the system folder as well as WINSTART.BAT and XANAX.SYS to the Windows folder. HOSTFILE.EXE is a clean copy of the most recently infected file. XANAX.SYS contains the text "Win32.HLLP.Xanax (c) 2001 Gigabyte", which is never displayed. WINSTART.BAT runs at startup and displays the following message:
Do not Take This medication with ethanol, Buspar (buspirone), TCA antidepressants, narcotics, or other CNS depressants. This
combination can Increase CNS depression. Be sure not to take other sedative, benzodiazepines, or sleeping pills With This drug.
The combinations Could Be Fatal. Do not smoke or drink alcohol, When taking Xanax. Alcohol can lower blood pressure and decrease
your breathing rate to the point of unconsciousness. Tobacco and marijuana smoking can add to the sedative effects of Xanax.
Xanax checks drives C: to F: to see if mIRC is installed, and if so, infects it. It overwrites the SCRIPT.INI file with a copy that sends the worm to everyone joining the channel.
When run from a file name with "R" as the penultimate letter (example zzzRz.exe) Xanax displays a message.
Xanax
8-Chloro-1-methyl-6-phenyl-4H-s-triazolo (4,3-alpha)(1,4) benzodiazepine
Xanax also drops a VBS script file, XANAX.VBS in the current working directory. This file handles the email routine. It sends a copy of Xanax.exe from the system folder to the first 1,000 contacts in the Outlook address book.
Effects
Some sources reported Xanax in the wild, though there seem to be no reported cases.
Sources
Eugene Kaspersky, Kaspersky Lab. VSAntivirus, W32/Scrambler.g@MM. 2001.03.21
Virus Database, I-Worm.Xanax. 2005