Hi Raza
Computer Associates provides a free download. Details of the virus, and how to
clean it, can be found at the following URL:
http://www.cai.com/virusinfo/encyclopedia/descriptions/mtx.htm
Mtx (also known as Win95.Mtx, W32/MTX@mm, W32/Apology, W32/MTX and I-Worm.MTX)
Win95. Mtx is a 32-bit virus that has worm-like behavior and drops a trojan. It
uses an infection method called "entry point obscuring". This means that rather
than executing the virus at the very start of an infected program (the "entry
point"), it can patch the program at almost any point inside its code. This is
designed to make detection more difficult; the virus might not activate straight
away when an infected program is run. For example, the virus may only activate
when a particular function of the infected program is used.
When the virus is run, it infects files in the Windows directory. Win95.Mtx then
unpacks and drops its worm component twice in the Windows directory as files
with the following names:
"Ie_pack.exe"
and "Win32.dll"
A trojan file named "Mtx_.exe" is also dropped in the Windows directory, and the
following registry key (which runs the trojan each time Windows reboots) is
created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemBackup =
\MTX_.EXE
The trojan attempts to download and run files from a website which may contain
other malicious programs. Next, the worm part is launched and creates a modified
version of Wsock32.dll. It then overwrites the wininit.ini file with its own
copy. (The wininit.ini file is only present on the system when required. When
the system starts, commands in this file will be carried out and the file will
be deleted). The virus' wininit.ini file contains commands to replace the
original version of Wsock32.dll file with its own when Windows reboots. Once the
original version is replaced, the new Wsock32.dll intercepts information being
sent (by the send() function) from the computer to the network. If it detects
that an e-mail is being sent, it will immediately send a second e-mail to the
same recipient. The second e-mail has no subject and no body; merely an
attachment which is randomly picked from a list of names within the code (shown
here in the same order as in the infected file):
README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif
In addition, the replacement Wsock32.dll monitors the location of HTTP requests
(web-browsing), and the address of e-mail recipients. The program will crash if
it detects that the user is attempting to either access an anti-virus site or
send e-mail to an anti-virus company. It detects this communication by searching
for substrings and strings in the domain name from the following lists:
NII.
nai.
avp.
AVP.
F-Se
f-se
mapl
pand
soph
ndmi
afee
yenn
lywa
tbav
yman
wildlist.o
il.esafe.c
perfectsup
complex.is
HiServ.com
hiserv.com
metro.ch>
beyond.com
mcafee.com
pandasoftw
earthlink.
inexar.com
comkom.co.
meditrade.
mabex.com>
cellco.com
symantec.c
successful
inforamp.n
newell.com
singnet.co
bmcd.com.a
bca.com.nz
trendmicro
sophos.com
maple.com.
netsales.n
f-secure.c
F-Secure.c
The virus contains the following ASCII text:
Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix
Cleaning Instructions:
Please ensure that you have the latest virus engine and signature files
installed on your PC;
Open your anti-virus program and configure it to detect and clean infected
files;
Perform a full scan of the hard-disk;
Reboot your computer.
If you are still having difficulty removing the virus, you will need to boot
your machine in DOS-mode (from a clean system disk) and run an up-to-date rescue
utility that is available with your anti-virus program.
Regards
Patrick Corliss
----- Original Message -----
From: Raza Jaffri <[EMAIL PROTECTED]>
To: Bizops-List <[EMAIL PROTECTED]>
Sent: Monday, November 13, 2000 9:58 PM
Subject: Attacked by a Virus and Survived.
> Hi!
>
> I am not sure if this message has already been sent or not. My apologies
> for any duplication!
>
> Recently several members of this list received this wonderful email from a
> list member that had a suspicious looking file attachment. Instead of
> clicking it, I opened it using appropriate tools and viola! It was a potent
> Virus! It could also mutate itself with the following names and send itself
> to people in my address book....
>
> README.TXT.pif
> I_wanna_see_YOU.TXT.pif
> MATRiX_Screen_Saver.SCR
> LOVE_LETTER_FOR_YOU.TXT.pif
> NEW_playboy_Screen_saver.SCR
> BILL_GATES_PIECE.JPG.pif
> TIAZINHA.JPG.pif
> FEITICEIRA_NUA.JPG.pif
> Geocities_Free_sites.TXT.pif
> NEW_NAPSTER_site.TXT.pif
> METALLICA_SONG.MP3.pif
> ANTI_CIH.EXE
> INTERNET_SECURITY_FORUM.DOC.pif
> ALANIS_Screen_Saver.SCR
> READER_DIGEST_LETTER.TXT.pif
> WIN_$100_NOW.DOC.pif
> IS_LINUX_GOOD_ENOUGH!.TXT.pif
> QI_TEST.EXE AVP_Updates.EXE
> SEICHO-NO-IE.EXE
> YOU_are_FAT!.TXT.pif
> FREE_xxx_sites.TXT.pif
> I_am_sorry.DOC.pif
> Me_nude.AVI.pif
> Sorry_about_yesterday.DOC.pif
> Protect_your_credit.HTML.pif
> JIMI_HMNDRIX.MP3.pif
> HANSON.SCR
> FUCKING_WITH_DOGS.SCR
> MATRiX_2_is_OUT.SCR
> zipped_files.EXE
> BLINK_182.MP3.pif
>
> If you receive any of these files, DON'T open them.
>
> Later, I realized that many people would not have survived this attack. So
> I have compiled "The 9 Step Guide To Virus Protection" and you can retrieve
> it FREE by sending a blank email to [EMAIL PROTECTED] and the
> autoresponder will immediately send you the Guide by return email.
>
> Hope this helps! Please do forward this email to all your friends to help
> them stay virus free as well.
>
> Best Regards!
>
> Raza Jaffri
>
>
