F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Toadie





NAME:Toadie
ALIAS:HLLP.Toadie, Termite

Toadie is a relocating virus-worm. It is encrypted and non-memory resident. This virus was posted to several newsgroups as a cell phone cloning application on 15th of August 1999. The virus was in CELLCRK.ZIP file. When the CELLCRK.EXE program that was inside that ZIP is run it displays a rhyme and a copyright string of Symantec.

When activated the virus searches for EXE files and infects them (50-100 at a time for Toadie.7800 version). This might cause a considerable decrease of perfomance on DOS-based and slow Windows systems. The delay after an infected file is run and before the original file code gets control can be up to 20 seconds if no disk cache program is installed.

The virus infects DOS and Windows EXE files files the same way. The 7800 bytes (or other length depending on virus version) from original file beginning are relocated to the end of the file and encrypted by the virus. The virus writes 7800 bytes of its code which is a DOS program (with EXE header) itself to infected file beginning thus converting any Windows program to DOS format. When any infected DOS or Windows program is run, virus code gets control first, infects more EXE files on hard disk(s) and then passes control to the original file code.

The virus has an ability to spread itself through IRC networks. On infected system the virus modifies settings of IRC client (mIRC) and creates TOADIE.EXE file. This file is sent [DCC] by an infected user to anyone who is joining any IRC channel the user is on at the moment. The virus also can replace unsent message contents in Outbound folder of Pegasus Mail. In this case the virus executable will be sent out instead of an original outgoing message.

The 1.1 version of this virus contains several internal text strings and rhymes. They are output only once when the virus starts from a dropper (that is 1 byte longer than the virus body): 

 There once was a bud named B.C.
 He grew on a 7 foot tree
 Till one day I plucked him
 Rolled him and smoked him
 And now I can barely see!


 Ladies and gentlemen, I stand before you to stand behind you to
 tell you something I know nothing about. Thursday, which is Good
 Friday, we're having a Father's Day party for mother's only.
 Admission is free, pay at the door, pull out a chair and sit on
 the floor.


 Late one night in the middle of the day, two dead soldiers got
 up to fight. Back to back they faced each other, pulled out
 their swords and shot one another. A deaf policeman heard the
 noise, got up and shot the twice dead boys. If you don't believe
 me, ask the blind man who saw it all, through a knothole in a
 wooden brick wall.


 Question: If someone with multiple personalities tries to commit
 suicide, do the police consider it a hostage situation?


 One bong hit, Two bong hit, Three bong hit, Floor.

Here's how it looks like:

The 7800 bytes long virus version is a very fast infector. Within several minutes all EXE files will be infected. From 3:00pm to 5:00pm the virus 'sleeps' - doesn't replicate. Infected files do not work after 9:00pm.

The virus also displays a copyright message if current minutes are equal to 17:

F-Secure provides detection and removal solution for this virus with the latest updates that can be downloaded from our ftp site: 

 ftp://ftp.F-Secure.com/anti-virus/updates/avp/
 ftp://ftp.europe.F-Secure.com/anti-virus/updates/avp/

[Analysis: Alexey Podrezov, F-Secure]