Cholera worm being activated displays a message:
Cannot open file: it does not appear to be a valid archive.
If you downloaded this file, try downloading the file again.
This is a disguise only. At the same time the worm copies itself
to \Windows\ directory and modifies WIN.INI to be run during all
further Windows startups. The worm adds its execution string to
'RUN=' statement in WIN.INI file. On NT systems Cholera modifies
Registry as WIN.INI file is not used to run files at startup.
Being active in memory the worm waits until any Internet-using
application (TelNet, mIRC, Netscape, IE) is executed and then
spreads itself by sending its copy to e-mail addresses previously
picked up from DBX, EML, HTM, HTML, IDX, MBX, NCH and TXT files.
The worm tries to find these files on infected system hard disk.
The worm does not use MAPI routines or any mail browser to send
itself out - it has its own SMTP engine. As the worm spreads
itself while other Internet clients are working, its presence and
activities are very hard to notice.
The CTX virus is an 'advanced' Win32 virus (as its creator
states) it has features not typical for other Win32 viruses -
self-integrity check, way of searching for Windows APIs by using
CRCs instead of API names, EPO - Entry Point Obscuring (placing a
jump to its body somewhere inside an infected file). Being
activated the virus looks for Windows PE executables and infects
them. The infection is of appending type. The virus body is
encrypted. CTX virus doesn't have any payload and it manifests
itself by a video effect only.