Category :


Type :


Aliases :

Simbiosis, Cholera, CTX


Cholera and CTX were created by a member of 29A virus writers group for the Simbiosis project. This project was created to check how well the simbiosis of a Win32 virus and an Internet worm works and how fast it spreads. The virus-worm file is named SETUP.EXE and it contains an encrypted Cholera worm executable infected with a CTX virus. This file is usually received as an email attachment. The message contains only a 'smile' sign - ':)'. If the SETUP.EXE file is run the system becomes infected with both CTX virus and Cholera worm.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Cholera worm being activated displays a message:

	Cannot open file: it does not appear to be a valid archive. 	If you downloaded this file, try downloading the file again.

This is a disguise only. At the same time the worm copies itself to \Windows\ directory and modifies WIN.INI to be run during all further Windows startups. The worm adds its execution string to 'RUN=' statement in WIN.INI file. On NT systems Cholera modifies Registry as WIN.INI file is not used to run files at startup.

Being active in memory the worm waits until any Internet-using application (TelNet, mIRC, Netscape, IE) is executed and then spreads itself by sending its copy to email addresses previously picked up from DBX, EML, HTM, HTML, IDX, MBX, NCH and TXT files. The worm tries to find these files on infected system hard disk. The worm does not use MAPI routines or any mail browser to send itself out - it has its own SMTP engine. As the worm spreads itself while other Internet clients are working, its presence and activities are very hard to notice.

The CTX virus is an 'advanced' Win32 virus (as its creator states) it has features not typical for other Win32 viruses - self-integrity check, way of searching for Windows APIs by using CRCs instead of API names, EPO - Entry Point Obscuring (placing a jump to its body somewhere inside an infected file). Being activated the virus looks for Windows PE executables and infects them. The infection is of appending type. The virus body is encrypted. CTX virus doesn't have any payload and it manifests itself by a video effect only.