Template loop detected: Template:Delete

Arcturus is a Microsoft Windows file-infecting virus. The executable of the virus is 811 kilobytes large. Its pure purpose was to challenge the author's system and programming knowledge and was supposed to be tested only in virtual machines. The author published the virus along with a READ_ME.txt file that warns the user about the virus's ability to spread into the wild by portable memories and cause damage to computers when run.


The virus is supposed to arrive to the system with an infected portable memory, in the original executable form. If user(s) share OS files of an infected machine (such as dll's or Microsoft calculator) using a portable memory device, there is also a chance that OS files might be infected.

As soon as the original executable or an infected file is run, the virus activates.


When executed, the virus pops-up a fake error message, pretends to be a broken software. Meanwhile it drops a copy of itself in the C:\WINDOWS folder and adds the following registry key:


which runs the copy in the Windows directory every time machine starts. It also drops copies of itself to D and E drives if they exist, and this way, tries to spread through portable memory devices.

The virus blocks Registry Editor, Task Manager, Command Prompt and System Configuration windows, along with popular antiviruses, such as Norton. The virus also searches for window titles containing the words 'disk' and 'partition'.

The virus starts to convert all 'd' letter that user has written in any program to the underline (_) character.

When the user presses the following key combinations: Ctrl+X, Ctrl+C, Ctrl+V and Ctrl+Z; the virus prints out random numbers along with the cut/copy/paste/revert instructions. This makes the process of fixing the computer more complex.


A very informational message box.

When user writes English profanities that are pre-defined by the virus author, the virus will delete the profanity and create a pop-up message with the intent of playing with the user. If user presses the Tab key, it will use the default browser to open up the web page You Are An Idiot.

If virus runs on the 1st day of any month, it will infect notepad.exe and block all the mouse and keyboard inputs. As the virus does this, it will also redirect

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Fonts

to the root of the C drive. This doesn't appear to have any visible changes or damage while the virus is running, but might cause problems during updates or system changes.


Arcturus being tested by it's original author.

If virus runs on the 30th of 31st of any month, it will infect mspaint.exe and will pop-up a message box that says "Whoops.". If user presses OK, or 4 seconds has elapsed, it will pop-up another message box saying "I said, WHOOPS!" and if user presses OK or 4 seconds elapses, it will force-shutdown the session.

The destructive payload activates one user presses the key combination of Ctrl+Alt+Delete. The virus will pop-up a message box saying "Nothing weird happening, just act normal.". As user presses OK, it will infect calc.exe, kernel32.dll and hal.dll by completely overwriting them, then it will play "The Blue Danube " composed out of sound card beeps. This prevents the computer from booting when restarted.

The author has added a secret recovery mechanic in case he runs it accidentally on his computer. Before overwriting these files, it will create hidden copies of these files in the root directory, but with a different name and extension. As long as user doesn't shutdown or reset the computer, there is a chance of recovery after the destructive payload.



You will have to enable "Show hidden files" option to see the back-up files the virus created.

According to the author, after the user notices the infection and if the computer hasn't been shutdown, the following procedure will recover the user's system without having to reinstall the operating system, preventing any data loss:

IMPORTANT: Only works if the user has not shutdown or reset the machine after the destructive payload.

1- Check the following file's sizes and if the size is 811 KB, the file is infected. Apply the corresponding recovery procedure:

a) WINDOWS\system32\kernel32.dll

If infected, replace the file with the following hidden file: WINDOWS\5908509358093580539.scr

Afterwards, the user can delete the hidden file.

b) WINDOWS\system32\hal.dll

If infected, replace the file with the following hidden file: WINDOWS\895483485555454.dll

Afterwards, the user can delete the hidden file.

2- Make sure all the computer's dll's are not infected with the virus, and reboot into safe mode.

3- a)Delete the file that the user has infected the system with.

b)Delete WINDOWS\arcturus.exe

c)Delete the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NT

d)Delete the original executable.

4- If one of the following files: notepad.exe, calc.exe, mspaint.exe has been infected, copy the original files from another computer.


The virus executable is named arcturus.exe by the author and was inspired by a star in the Boötes constellation.


The virus originates from Turkey, and was shared on a forum site dedicated to malware. The author decided to provide information about it in case someone accidentally relases it into the wild, despite all the warnings.