Initx is a harmless per-process resident Win32 virus. It infects Windows
Portable executable (PE) files that have the “.EXE” filename extension. The
virus consists of two parts: its startup routine stored in infected files,
and the dynamic link library (DLL) file called “initx.dat”.
The virus searches for suitable files with the “.EXE” extension in the
Windows and Windows System directories, and all computer’s network shares
and tries to infect them. If the computer’s name begins with “CT” in any
case, the virus replicates only in the shared directories.
While infecting a file, the virus creates its copy named “initx.dat” in the
host’s directory. Then it appends its 28 byte long startup routine to the
host’s code section, so that the “initx.dat” file is loaded as a library
when an infected file is executed. The startup routine is inserted in the
unused space of the code section, so the file’s size remains unchanged.
The infection process looks like this:
Infected directory Victim directory
infected file.exe host.exe <--- is infected by
writing the startup
routine (28 bytes)
to the code section
initx.dat --> initx.dat <--- copy of the main
part of the virus
The virus tries to find and to connect to the network host called "ct". If
the connection is successfull, it transmits the infected computer's name
to that host. It also creates a hidden network share with the "ADMIN$" name
that points to the Windows directory.