Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Toadie


Aliases:


Toadie
HLLP.Toadie, Termite

Malware

W32

Summary

Toadie is a relocating virus-worm. It is encrypted and non-memory resident. This virus was posted to several newsgroups as a cell phone cloning application on 15th of August 1999. The virus was in CELLCRK.ZIP file. When the CELLCRK.EXE program that was inside that ZIP is run it displays a rhyme and a copyright string of Symantec.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details

When activated the virus searches for EXE files and infects them (50-100 at a time for Toadie.7800 version). This might cause a considerable decrease of perfomance on DOS-based and slow Windows systems. The delay after an infected file is run and before the original file code gets control can be up to 20 seconds if no disk cache program is installed.

The virus infects DOS and Windows EXE files files the same way. The 7800 bytes (or other length depending on virus version) from original file beginning are relocated to the end of the file and encrypted by the virus. The virus writes 7800 bytes of its code which is a DOS program (with EXE header) itself to infected file beginning thus converting any Windows program to DOS format. When any infected DOS or Windows program is run, virus code gets control first, infects more EXE files on hard disk(s) and then passes control to the original file code.

The virus has an ability to spread itself through IRC networks. On infected system the virus modifies settings of IRC client (mIRC) and creates TOADIE.EXE file. This file is sent [DCC] by an infected user to anyone who is joining any IRC channel the user is on at the moment. The virus also can replace unsent message contents in Outbound folder of Pegasus Mail. In this case the virus executable will be sent out instead of an original outgoing message.

The 1.1 version of this virus contains several internal text strings and rhymes. They are output only once when the virus starts from a dropper (that is 1 byte longer than the virus body):

There once was a bud named B.C.
 He grew on a 7 foot tree
 Till one day I plucked him
 Rolled him and smoked him
 And now I can barely see!
 Ladies and gentlemen, I stand before you to stand behind you to
 tell you something I know nothing about. Thursday, which is Good
 Friday, we're having a Father's Day party for mother's only.
 Admission is free, pay at the door, pull out a chair and sit on
 the floor.
 Late one night in the middle of the day, two dead soldiers got
 up to fight. Back to back they faced each other, pulled out
 their swords and shot one another. A deaf policeman heard the
 noise, got up and shot the twice dead boys. If you don't believe
 me, ask the blind man who saw it all, through a knothole in a
 wooden brick wall.
 Question: If someone with multiple personalities tries to commit
 suicide, do the police consider it a hostage situation?
 One bong hit, Two bong hit, Three bong hit, Floor.

Here's how it looks like:

The 7800 bytes long virus version is a very fast infector. Within several minutes all EXE files will be infected. From 3:00pm to 5:00pm the virus 'sleeps' - doesn't replicate. Infected files do not work after 9:00pm.

The virus also displays a copyright message if current minutes are equal to 17:







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.