Threat Description

Totilix

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Totilix, I-Worm.Totilix

Summary


Totilix is a dangerous Internet virus-worm that spreads itself with e-mail messages and overwrites all EXE files (except EMM386.EXE, SETVER.EXE and files that are currently run and are locked) in the Windows directory with its copy.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The worm then registers its file to be run upon each Windows startup (this is all for nothing, because the system will not be functional anyway after all EXE files are overwritten). While registering, the worm creates a new auto-run key in the system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run  RunAVUpdate = "worm filename"  

where "worm filename" is the actual file name the worm has run from. The worm also creates an "identification" registry key:

HKLM\Software\Microsoft\AVUpdte\Install  

that reports the system is already infected and there is no need to overwrite EXE files in Windows and to send infected messages.

The worm does not obtain a victim's e-mail address from the MS Outlook address book or from other files like other e-mail worms do, but it forces a user to select a victim's address himself. When starting, the worm displays a fake message:

AV Intelligent Updater  Please select email address to send at your friend  Select email address with 'a' only not with 'A'  

Then the worm activates an e-mail client by using MAPI functions (i.e., not depending on the e-mail client brand and version), activates the Address Book menu and waits for the user to select address(es) there. After that the worm sends an infected message with its file attached to a selected address(es). The message that a recepient gets looks like that:

Hi Friend,  This mail contains a new AV intelligent updater for all antivirus.  To install it, execute the attachment file  if you have any problem, send mail at antivirus@hotmail.com  

The attached worm's file name is the same of the file the worm has been activated from. Initially, the worm was received under the AVUPDATE.EXE name. The second common name is TOTILIX.EXE.

In case any error occurs while selecting an address or sending, the worm erases all files in the Windows directory, and displays one of the following "error" messages:

The recipient requested has not been or could not be resolved to a unique address list entry  The recipient could not be resolved to any address.The recipient might not exist or might be unknown  One or more unspecified errors occured  The name was not resolved  There was insufficient memory to proceed  The operation was not supported by the messaging system  The user was cancelled one or more dialog box  

In case the worm successfully sends an infected e-mail, it disguises its action with the following message:

AV Intelligent Updater  Internal error occured when you have launch this program  Contact antivirus@hotmail.com or others AV  

Depending on system date and time, the worm erases files in the Windows directory and displays the following messages:

On 13th of any month, if seconds = 30  Virus Win32.AVUpdate  Attention, votre PC est en danger!!!!!  Car ceci est ma veritable identite  Veuillez contacter votre centre AV le plus proche  

On 2nd of February:

Win32.Eva by Benny, (c) 1999  Hello stupid user, i'm so sorry but i have to interrupt your work,  Cause i hate this shitty program. Click OK to continue  Greets to:  Super/29A  Darkman/29A  Jack Qwerty/29A  Billy Belcebu/DDT  And many other 29 Aers...  

On 9th of May:

Win32.3x3eyes coded by: Bumblee[UC]  This is my last contribution to Ultimate Chaos team Greetings UC brothers  

On 5th of April:

Virus Report rev 2.1  SPIT.Win32 is a Bumblee Win32 Virus  Feel the power of spain and die by the SpiT!  

On 24th of September:

TOTILIX Presents...  This TOTILIX Virus was assembled at the city of Oporto Portugal!  Gas_par@hotmail.com  (c) 1999 G@SP@R aka Sexus  

Variant:Totilix.b (I-Worm.Totilix.b, Britney, AVUpd)

Totilix.b or Britney is a modification of the original Totilix virus-worm. On startup the worm loads KERNEL32.DLL and MAPI32.DLL libraries, gets the address of RegisterServiceProcess function, creates its startup key 'ILoveBritney' in Windows Registry:

Software\Microsoft\Windows\CurrentVersion\RunServices  

or in case of Windows NT:

Software\Microsoft\WindowsNT\CurrentVersion\RunServices  

This will allow the worm to be run during all Windows sessions. Then the worm changes Internet Explorer startup page to 'www.britney-spears.to/site.html' and checks its 'installation check key':

Software\Britney\Install  

If this key is not found, the worm renames SSTART.SRC to BRITNEY.SCR and starts to look for EXE files. When an EXE file is found the worm overwrites this file with its copy (except for EMM386.EXE and SETVER.EXE files). Then the worm creates the above shown key and gets addresses of MAPI-related functions. If an error occurs during this process, the worm shows a messagebox with the following error message (the caption of all worm's messageboxes is 'ILoveBritney Freeware'):

MAPI function can't found  Please refer to help to install it  

Then it deletes all files in C:\ folder and exits. Otherwise the worm displays the following message:

Please select email address to send at your friend  This program open automaticaly your address book  

When a user selects addresses from the opened Address Book to send a message, a worm tries to send a message with its copy attached to selected addresses. The infected message looks like that:

New Britney Screen Saver  Hi  I Send you this mail to give you a new screen saver about Britney Spears.  I hope your enjoy to have it.  See you soon...  

If an error occurs during this process, the worm shows a messagebox with one if its error messages, for example:

A error occured when i try to send email  Please refer to your windows help for more informations  

Then it tries to delete all found files and exits.

In case of a successful sending attempt, the worm displays the following message:

Thanks to have take this freeware!!!!  Which include new screen saver about britney  Now, send this software to your friend who like me  If you want to email me, send at britney@peeps.com  

Then the worm installs itself to memory and checks current date. If the date is 12th of February, the worm starts to continuously show messageboxes with the following text:

Win32.ILoveBritney  It's Britney Birthday!!!!!  You musn',27h,'t work today...  

After that the worm deletes AUTOEXEC.BAT, CONFIG.SYS, IO.SYS and MSDOS.SYS files from root C:\ folder and shuts down Windows.

If the date does not match, the worm checks current time and if it is between 8:00 and 18:00, sets captions of all windows to 'Win32.ILoveBritney par ZeMacroKiller98' and starts to output the following messages in different colors on the screen:

Britney Spears is very beautiful girl!!!  If you don',27h,'t think that, you think it now, Ha Ha Ha Ha  

Because of a bug in worm's code the first message is not seen - it is replaced with the second message because the worm's author screwed up message output coordinates.

If the time is between 18:00 and 8:00, the worm displays the following message and shuts down Windows.

You can't use your PC, now!!!  It's time to stop your computer...  

The Totilix.b virus-worm can cause a heavy damage to a system that it infected by replacing EXE files with its copy or by deleting all found files. In many cases a system will become unbootable.





Technical Details:Eugene Kaspersky, KL; Alexey Podrezov, F-Secure; February 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More