Toadie
Summary
Toadie is a relocating virus-worm. It is encrypted and non-memory resident. This virus was posted to several newsgroups as a cell phone cloning application on 15th of August 1999. The virus was in CELLCRK.ZIP file. When the CELLCRK.EXE program that was inside that ZIP is run it displays a rhyme and a copyright string of Symantec.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
When activated the virus searches for EXE files and infects them (50-100 at a time for Toadie.7800 version). This might cause a considerable decrease of perfomance on DOS-based and slow Windows systems. The delay after an infected file is run and before the original file code gets control can be up to 20 seconds if no disk cache program is installed.
The virus infects DOS and Windows EXE files files the same way. The 7800 bytes (or other length depending on virus version) from original file beginning are relocated to the end of the file and encrypted by the virus. The virus writes 7800 bytes of its code which is a DOS program (with EXE header) itself to infected file beginning thus converting any Windows program to DOS format. When any infected DOS or Windows program is run, virus code gets control first, infects more EXE files on hard disk(s) and then passes control to the original file code.
The virus has an ability to spread itself through IRC networks. On infected system the virus modifies settings of IRC client (mIRC) and creates TOADIE.EXE file. This file is sent [DCC] by an infected user to anyone who is joining any IRC channel the user is on at the moment. The virus also can replace unsent message contents in Outbound folder of Pegasus Mail. In this case the virus executable will be sent out instead of an original outgoing message.
The 1.1 version of this virus contains several internal text strings and rhymes. They are output only once when the virus starts from a dropper (that is 1 byte longer than the virus body):
There once was a bud named B.C. He grew on a 7 foot tree Till one day I plucked him Rolled him and smoked him And now I can barely see! Ladies and gentlemen, I stand before you to stand behind you to tell you something I know nothing about. Thursday, which is Good Friday, we're having a Father's Day party for mother's only. Admission is free, pay at the door, pull out a chair and sit on the floor. Late one night in the middle of the day, two dead soldiers got up to fight. Back to back they faced each other, pulled out their swords and shot one another. A deaf policeman heard the noise, got up and shot the twice dead boys. If you don't believe me, ask the blind man who saw it all, through a knothole in a wooden brick wall. Question: If someone with multiple personalities tries to commit suicide, do the police consider it a hostage situation? One bong hit, Two bong hit, Three bong hit, Floor.
Here's how it looks like:
The 7800 bytes long virus version is a very fast infector. Within several minutes all EXE files will be infected. From 3:00pm to 5:00pm the virus 'sleeps' - doesn't replicate. Infected files do not work after 9:00pm.
The virus also displays a copyright message if current minutes are equal to 17:
