Virus Characteristics

This is a non-memory-resident encrypted executable virus that can infect DOS and Windows machines alike. The virus was posted on several newsgroups on the 15th of August, 1999, disguised as a cellular phone cloning application with the file name of CELLCRK.ZIP. Inside the ZIP file is the infector, called CELLCRK.EXE. When the program is executed, it will display several rhymes, as well as a copyright statement which claims to be from Symantec.

Payload

When the CELLCRK.EXE file is executed, it will immediately start infecting .EXE files. Because of it's rapid infection rate, victims may encounter severe performance problems since the virus attempts to infect 50-100 files at any given moment. Victims of the virus may wait up to 20 seconds when executing an application for the application to appear, after infection. The virus adds 7800 bytes to the size of any infected file.

Once it has finished infecting .EXE files, it will then attempt to spread itself through IRC networks. The virus modifies the settings of a popular IRC client (mIRC) and copies itself to a file called TOADIE.EXE. This file will get sent automatically to any user in the same chat room as the currently infected user.

The virus also can replace unsent message contents in Outbound folder of Pegasus Mail. In this case the virus executable will be sent out instead of an original outgoing message.

Detection

Detection of this particular virus is quite easy. Once infected, any Windows application, when executed, will bring up a DOS box for up to 20 seconds before executing.

Point of Interest

We do not expect this virus to present itself in North America's corporate environment. The methods it uses to spread itself are typically not present inside a corporate environment. IRC channels are typically blocked off at the firewall, and Pegasus mail, while being a popular e-mail client, is not typically present in corporate North America.