Virus.Win32.Initx

Class Virus
Platform Win32
Description

Technical Details

Initx is a harmless per-process resident Win32 virus. It infects Windows
Portable executable (PE) files that have the “.EXE” filename extension. The
virus consists of two parts: its startup routine stored in infected files,
and the dynamic link library (DLL) file called “initx.dat”.

Replication

The virus searches for suitable files with the “.EXE” extension in the
Windows and Windows System directories, and all computer’s network shares
and tries to infect them. If the computer’s name begins with “CT” in any
case, the virus replicates only in the shared directories.

While infecting a file, the virus creates its copy named “initx.dat” in the
host’s directory. Then it appends its 28 byte long startup routine to the
host’s code section, so that the “initx.dat” file is loaded as a library
when an infected file is executed. The startup routine is inserted in the
unused space of the code section, so the file’s size remains unchanged.

The infection process looks like this:

 Infected directory           Victim directory
 ------------------           ----------------
  file1                        file4
  file2                        file5
  ...                          ...
  infected file.exe            host.exe           <--- is infected by 
                                                       writing the startup 
                                                       routine (28 bytes)
                                                       to the code section
  initx.dat            -->     initx.dat          <--- copy of the main 
                                                       part of the virus

Payload

The virus tries to find and to connect to the network host called "ct". If
the connection is successfull, it transmits the infected computer's name
to that host. It also creates a hidden network share with the "ADMIN$" name
that points to the Windows directory.