McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• HLLT.Toadie.GR

• Toadie

Characteristics

HLLT.Toadie family is written in the high level language (HLLT) ASIC, a dialect of BASIC, as opposed to assembler or "low level language". It has 4 variants including 6585, 6810, 7800 and 7800b (indicating size in length of the contaminant) and the virus code is compressed.

All known variants attempt to use Pegasus v3.0 mail to send itself. Variants 6810, 7800, and 7800b attempts to use mIRC client and "dcc"s itself under the name TOADIE.EXE whenever somebody joins the mIRC channel.

The first variant contains the string "Toadie 1.0" and the second - "Toadie 1.1", the third and fourth "TOADiE v1.2", "Initializing....Ok! Files in current directory have been infected, You are.strongly cautioned not to execute any of them!". The first variant is not known to be in the wild, however reports indicate the other variants are.

The first two variants encrypt the host executable file and move the slice equal to the size of the virus to the end of the file. Date and time of the file is used as a decryption key so if any infected file is changed in any way it will no longer run).

Symptoms

Increase in size to binary files, decrease in system speed, an MS-DOS box opens during execution of file(s) and close.

Method of Infection

Direct infection.

Removal
MS-DOS boot, scan with command line scanner and required .DAT files.

VirusScan 3 does not support detection/removal of this virus.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

• *6585
• *6810
• 7800
• 7800b

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• HLLT.Toadie.GR

• Toadie

Characteristics

Characteristics -

HLLT.Toadie family is written in the high level language (HLLT) ASIC, a dialect of BASIC, as opposed to assembler or "low level language". It has 4 variants including 6585, 6810, 7800 and 7800b (indicating size in length of the contaminant) and the virus code is compressed.

All known variants attempt to use Pegasus v3.0 mail to send itself. Variants 6810, 7800, and 7800b attempts to use mIRC client and "dcc"s itself under the name TOADIE.EXE whenever somebody joins the mIRC channel.

The first variant contains the string "Toadie 1.0" and the second - "Toadie 1.1", the third and fourth "TOADiE v1.2", "Initializing....Ok! Files in current directory have been infected, You are.strongly cautioned not to execute any of them!". The first variant is not known to be in the wild, however reports indicate the other variants are.

The first two variants encrypt the host executable file and move the slice equal to the size of the virus to the end of the file. Date and time of the file is used as a decryption key so if any infected file is changed in any way it will no longer run).

Symptoms

Symptoms -

Increase in size to binary files, decrease in system speed, an MS-DOS box opens during execution of file(s) and close.

Method of Infection

Method of Infection -

Direct infection.

Removal
MS-DOS boot, scan with command line scanner and required .DAT files.

VirusScan 3 does not support detection/removal of this virus.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

• *6585
• *6810
• 7800
• 7800b