I received a virus alert (below) this morning and I've already received the
file on at least one of my accounts. Is there a way to set up processing
rules so that any email sent with a .pif attachment is routed to a certain
mailbox?
Also, is there a way to send any email with an attachment to a certain
mailbox, but only for certain users?
Thanks for any help!
T. Bradley Dean
[EMAIL PROTECTED]
============================================================================
This is a nasty one:
Virus Profile
W95/MTX.gen@M is a Medium risk Virus
McAfee.com Clinic Members, click Here to update ActiveShield.
Click Here to perform a VirusScan Online.
Click Here to download the latest dat files for (Retail) McAfee VirusScan.
Virus Name
W95/MTX.gen@M
Date Added
8/24/00 1:18:15 PM
Virus Characteristics
Update - September 19, 2000:
McAfee AVERT has raised the ARA for this virus from Low to Medium based on
customer samples received to date.
Removal of this virus requires 4095 DAT files. This virus was discovered by
McAfee AVERT Aug 23, 2000.
This is a 32bit PE file infector for Windows 9x/NT systems. This virus
modifies WSOCK32.DLL in an effort to hook SMTP traffic as an attachment.
This virus searches for available shares through Network Neighborhood in an
effort to transfer to host systems.
W32/MTX@MM is a combination of a Virus, Worm and Backdoor.
-Worm/Backdoor part: As it has mailing capabilities users may receive an
e-mail with a file attachment, the name of the attachment is variable, but
it may be like: I_am_sorry_doc.pif, or zipped_files.exe etc. Regardless of
the deceiving filename and extension, the attached file as such is in fact a
32 bit "pe" file. (Portable Excutable file, common on win9x/winNT).
-Virus part: the virus also modified 32 bit pe files, like .EXE and .DLL, in
the windows folder. It might search local mapped drives for target files.
----------------------------------------------------------------------------
----
Send This Virus Information To A Friend?
----------------------------------------------------------------------------
----
Indications Of Infection
Existence of these files on the local system (Windows folder):
IE_PACK.EXE
MTX_.EXE
WIN32.DLL
WSOCK32.MTX
The file WININIT.INI is modified to replace calling of the regular
wsock32.dll with the dropped file wsock32.mtx after next reboot.
When this virus sends itself via email, it could be one of the following
file names, randomly picked:
ALANIS_Screen_Saver.SCR
ANTI_CIH.EXE
AVP_Updates.EXE
BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif
' FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif
FUCKING_WITH_DOGS.SCR
Geocities_Free_sites.TXT.pif
HANSON.SCR
I_am_sorry.DOC.pif
I_wanna_see_YOU.TXT.pif
INTERNET_SECURITY_FORUM.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
JIMI_HMNDRIX.MP3.pif
LOVE_LETTER_FOR_YOU.TXT.pif
MATRiX_2_is_OUT.SCR
MATRiX_Screen_Saver.SCR
Me_nude.AVI.pif
METALLICA_SONG.MP3.pif
NEW_NAPSTER_site.TXT.pif
NEW_playboy_Screen_saver.SCR
Protect_your_credit.HTML.pif
QI_TEST.EXE
READER_DIGEST_LETTER.TXT.pif
SEICHO-NO-IE.EXE
Sorry_about_yesterday.DOC.pif
TIAZINHA.JPG.pif
WIN_$100_NOW.DOC.pif
YOU_are_FAT!.TXT.pif
zipped_files.EXE
This virus creates these key:
HKLM\Software\[MATRiX]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemBackup = "C:\WINDOWS\MTX_.EXE"
Method Of Infection
When the user doubleclicks on the attached file, several files are being
dropped.Dropped files (some are marked Hidden) may be :
IE_PACK.EXE,
MTX_.EXE,
WIN32.DLL
WSOCK32.MTX
The file WININIT.INI is modified to replace calling of the regular
wsock32.dll with the dropped file wsock32.mtx after next reboot. MTX_.EXE
runs from the system registry at Windows startup and is memory resident when
the virus is first executed on the system.
MTX_.EXE runs as a process and makes Internet calls every 2 minutes on the
system in communication on TCP port 1137.
Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS
mode or use an emergency boot diskette and use the command line scanner such
as "SCANPM C: /CLEAN /ALL"
AVERT Recommended Updates:
Note1- Microsoft has released an update for
* Outlook to protect against "Malformed E-mail MIME Header" vulnerability at
this link
* Outlook as an email attachment security update
* Exchange 5.5 as a post SP3 Information Store Patch 5.5.2652.42 - this
patch corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ,
visit this link.
Additionally, Network Administrators can configure this update using an
available tool - visit this link for more information.
Note2- It is very common for macro viruses to disable options within Office
applications for example in Word, the macro protection warning commonly is
disabled. After cleaning macro viruses, ensure that your previously set
options are again enabled.
Virus Information
Discovery Date: 8/23/00
Origin: Germany
Length: 18,483 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium
Aliases
I-Worm.MTX, MTX_.exe, PE_MTX, W32/Apology, W32/Apology-B, W32/MTX.gen@M,
W32/MTX@M, W32/MTX@mm, W95.MTX
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
