Fandom

Malware Wiki

Arcturus

1,346pages on
this wiki
Add New Page
Comment1 Share

Arcturus is a Microsoft Windows file-infecting virus. The virus executable is 811 kilobytes large. Its pure purpose was to challenge the author's system and programming knowledge and was supposed to be tested only in virtual machines. The author published the virus along with a READ_ME.txt file that warns the user about the virus's ability to spread into the wild by portable memories and cause damage to computers when run.

Activation

The virus is supposed to arrive to the system with an infected portable memory, in the original executable form. If user(s) share OS files of an infected machine (such as dll's or Microsoft calculator) using a portable memory device, there is also a chance that OS files might be infected.

As soon as the original executable or an infected file is run, virus activates.

Behaviour

When executed, the virus pops-up a fake error message, pretends to be a broken software. Meanwhile it drops a copy of itself in the C:\WINDOWS folder and adds the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NT


which runs the copy in the Windows directory every time machine restarts. It also drops copies of itself to D and E drives if they exist, and this way, tries to spread through portable memory devices.


The virus blocks Registry Editor, Task Manager, Command Prompt and System Configuration windows, along with popular antiviruses, such as Norton and others. The virus also searches for window titles containing the words 'disk' and 'partition'.

The virus starts to convert all 'd' letter that user has written to the underline (_) character.

When user presses the following key combinations: Ctrl+X, Ctrl+C, Ctrl+V and Ctrl+Z; the virus prints out random numbers along with the cut/copy/paste/revert instructions. This makes the working on the computer harder.


Box

A very informational message box.

When user writes English cursing words that are pre-defined by the virus author, the virus will delete the curse word and pop-up a funny message box, playing with the user. If user presses the Tab key, it will use the default browser to open up the web page You Are An Idiot.

If virus runs on the 1st day of any month, it will infect notepad.exe and block all the mouse and keyboard inputs. As the virus does this, it will also redirect

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Fonts

to the root of the C drive. This doesn't do anything runtime, but might cause problems during updates or system changes.

Whoops

Arcturus being tested by it's original author.

If virus runs on the 30th of 31st of any month, it will infect mspaint.exe and will pop-up a message box that says "Whoops.". If user presses OK, or 4 seconds has elapsed, it will pop-up another message box saying "I said, WHOOPS!" and if user presses OK or 4 seconds elapses, it will force-shutdown the session.

The destructive payload activates one user presses the key combination of Ctrl+Alt+Delete. The virus will pop-up a message box saying "Nothing weird happening, just act normal.". As user presses OK, it will infect calc.exe, kernel32.dll and hal.dll by completely overwriting them, then it will play "The Blue Danube " composed out of sound card beeps. This prevents the computer from booting when rebooted.

But, the author has added a secret recovery mechanic in case he runs it accidentally on his computer. Before overwriting these files, it will create hidden copies of these files in the root directory, but with a different name and extension. As long as user doesn't shutdown or reset the computer, there is a chance of recovery after the destructive payload.

Recovery

Hidden-files

You will have to enable "Show hidden files" option to see the back-up files the virus created.

According to the author, after user notices the infection, if the computer hasn't been shutdown, the following procedure will recover the system without having to reinstall the operating, preventing any data loss:

IMPORTANT: Only works if you didn't shutdown or reset the machine after the destructive payload.

1- Check the following file's sizes and if the size is 811 KB, the file is infected. Apply the corresponding recovery procedure:

a) WINDOWS\system32\kernel32.dll

If infected, replace the file with the following hidden file: WINDOWS\5908509358093580539.scr

Afterwards, you can delete the hidden file.

b) WINDOWS\system32\hal.dll

If infected, replace the file with the following hidden file: WINDOWS\895483485555454.dll

Afterwards, you can delete the hidden file.

2- Make sure all your dll's are not infected with the virus, and reboot into the safe mode.

3- a)Delete the file that you infected the system with.

b)Delete WINDOWS\arcturus.exe

c)Delete the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NT

d)Delete the original executable.

4- If one of the following files: notepad.exe, calc.exe, mspaint.exe has been infected, copy the original files from another computer.

Name

The virus executable is named arcturus.exe by the author and was inspired by a star in the Boötes constellation.

Origin

The virus originates from Turkey, and was shared on a forum site dedicated to malware. The author decided to provide information about it in case someone accidentally relases it into the wild, despite all the warnings.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.