Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search

OriginUnited States of America
Programming LanguageC# and VB
PlatformMicrosoft Windows
File Type.EXE (CIL)
Alias(es)Resonate, ResonateI, Resonate 1
Size4 MB
This box: view  talk  edit

Resonate is a non-resident prepending parasitic file-infecting virus on Microsoft Windows, specifically Windows 7 and up. It was originally created as a learning experience, however it was later submitted to Danooct1's "viewer-made malware" segment.

Due to its popularity, its second counterpoint was made that contains deadly payloads and can work on Windows XP and up as ResonateII.

File Structure

Resonate is actually 2 seperate programs, a file infecting virus and a trojan. The virus holds the trojan as a resource to be extracted and executed at infection time. Resonate is prepending, so it infects files by inserting itself into the front of the file and pushing the file contents back. This causes Resonate to run instead of the intended file at run time.


Its payloads can be cancelled in Task Manager, and to remove the file itself simply delete the file.

Installation Routine

When an infected file is run, Resonate finds the end of the virus so that it can extract the host file. Once it has read the host file into memory, it writes a temporary hidden file containing this host and executes it, attempting to pass command line arguments then waits for the host to terminate. Once the host has terminated, Resonate deletes the temporary file and drops its trojan to %userprofile% as "tdrop.scr" and executes it. The trojan portion then installs itself to the system by copying itself to %userprofile% as "svchost.scr" and adding itself to the Run key. The .scr extensions are a way of keeping the virus from infecting the trojan.


Resonate features several non-destructive payloads. It checks the date at every boot, and if the date matches one of several prerequisite dates, it will activate one of its payloads.

  • January 2nd - Drops a copy of Blast Button and executes it.
  • February 16th - Plays "Grass Beach" by YouTube user LtKittenKiss on loop.
  • April 20th - Attempts to replace the wallpaper with a cannabis leaf (only on Windows 7).                                                                                                                
  • May 24th - Drops a recreation of "You Are An Idiot" and runs it. This is a Microsoft Word macro and it does not block Alt+F4 or Ctrl+Alt+Del, thus can be terminated via Task Manager. However, Alt+F4 acts like closing it and thus produces more windows.
    May 24th payload
  • September 4th - Attempts to open FitTea.org every 15 seconds, but due to a programming error, it opens the site every 15000 seconds (4 hours and 10 minutes) instead.
  • September 6th - Covers the screen with a pixelated picture of Fred Durst up to his nose with a caption telling the user to go play outside, attempting to block any effort to terminate it. The word "outside" is misspelled as "outsie".
  • December 30th - Covers the screen in a window that slowly shifts through hues, typing out a message, allowing the user to continue once the message has been typed out. This message is a possible reference to the video game Rez and comes from the fifth and final stage of the game.