Comrades,
as most of you will have probably noticed by now LI has been hit by the MTX
virus.
First of all I want to apologize to any inconveniences this might have
caused to LI subscribers. At the moment we are discussing steps to prevent
this to happen again.
As a general rule I would like to remind listers to be very careful about
opening attachment and to make sure they have switched off the execution of
script code in their email client.
Unfortunately the MTX virus usually comes in an attachment from a
trustworthy person. But there are still some heuristic ways how you can
identify it: If you receive an email with an attachment and the subject line
says: (no subject), you should be very careful. The attachment can have one
of the follwing file names:
README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif
IF YOU SEE ONE OF THESE FILE NAMES, NEVER OPEN THE ATTACHMENT!
What to do when you are hit by the virus?
First of all: DONT PANIC. Just sit down, take a break and than make sure you
do not sent out any more mails from that machine. If you have access two a
second machine, use the clean one to download anti-viral SW and detach the
infected machine from the net. If you dont have a second machine, you still
can use the infeted machine to get the anti-viral Software.
Now you could perform the following steps:
- Make sure you delete these files:
IE_PACK.EXE - pure Worm code
WIN32.DLL - Worm code infected by the virus (as "Infected File" above)
MTX_.EXE - Backdoor code
- If you find lines like this in the win.in file delete them:
NUL=C:\WINDOWS\SYSTEM\WSOCK32.DLL
C:\WINDOWS\SYSTEM\WSOCK32.DLL=D:\WINDOWS\SYSTEM\WSOCK32.MTX
Run regedit and delete these entries:
HKLM\Software\[MATRIX]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
SystemBackup=%WinDir%\MTX_.EXE
where %WinDir% is Windows directory.
Now you can use the anti-viral SW do their work:
I removed the virus from my machine with this SW:
http://www.nod32.com/download_free.htm
Please note you have to download both the DOS and the Windows programme.
Than you have to boot to DOS, execute the DOS clean-up and than boot again
to Windows and perform the Windows cleanup.
Hope that helps.
If anyone needs asistance please contact me privately:
[EMAIL PROTECTED]
Johannes
So far several people have had their computers infected by this MTX
virus. They all were running Microsoft Outlook [Express] as far as i
know.
Virus Information:
------------------
this site will give you the details on the virus:
http://www.viruslist.com/eng/viruslist.asp?id=4063&key=00001000130000100034
here you will find some instructions for cleaning your registry (for
pros) but you still need virus cleanup software as key system
components have been transmuted.
XDNet coverage on virus:
http://www.zdnet.com/zdhelp/stories/main/0,5594,2630479-3,00.html
Virus Characteristcs:
---------------------
The virus has two significant characteristics for our purposes:
1.) it causes an email follow-up to be sent automatically to anyone
you have already just emailed to -- in effect it sends twice, one your
message, and one the virus.
2.) it blocks your access to certain web sites which supply anti-virus
software programs. It does this via blocking specific names in a url,
like 'afee', which blocks you from McAfee's site, etc...
There are several other ways the virus affects your system. See the
topmost URL for details.
Virus Fixes:
------------
here is a site supposedly immune from the viral blocking of select IP
addresses, you can download trial software:
http://www.nod32.com/download_free.htm
[ for all i know these people wrote the damn virus and created its
unqiue characteristics so as to drive people towards their site, but
thats simply idle speculation ]
here are some directions for use:
Nod32 is capable of removing the MTX worm and is not blocked by
MTX's affects on your machine. You should reboot to DOS mode and
use the DOS version to remove the windows virus part, then you must
use the windows version of nod32 to remove the backdoor part of this
virus. The banner below will take you there:
[ http://www.nod32.com ]
you can, however, gain access to your prefered ant-virus suppliers
site if you enter in the dotted quad [numeric] version of the IP
address.
here is a link to a trial version of "AVP Platinum" software:
ftp://216.122.120.248/pub/setupplt.exe
note the numbers for address, which prevent the URL from being
blocked. after you install, apprently you need to register the
software here:
http://216.122.8.245/register.html
again the numeric URL prevents blocking.
directions for use:
Below is a direct download link to AVP Platinum trial version on
AVP's ftp site. Download this file, then register for an unlocking
key, and run the setupplt.exe program to install AVP - it is fully
capable of removing MTX from your system.
ftp://216.122.120.248/pub/setupplt.exe
This is the AVP website to register to use the trial software.
Ensure that you provide an accurate email address, so that the
unlocking key will be delivered to you by email.
http://216.122.8.245/register.html
>from ZDNet:
http://www.zdnet.com/zdhelp/stories/main/0,5594,2644979,00.html
October 25, 2000
MTX is a complex and difficult virus to remove. MTX alters system
files and on some systems these files cannot be repaired. In some
cases, after attempting to repair MTX, you will not be able to
start Windows until you restore the needed system files from the
original Windows installation CD.
This document assumes that you are familiar with basic Windows and
DOS procedures. If you are not, we suggest that you obtain the
services of a qualified computer consultant.
[snip]
For even more information, search www.google.com with keywords:
MTX virus
for example:
http://www.fireantivirus.com/MTX.htm
_______________________________________________
Leninist-International mailing list
[EMAIL PROTECTED]
To change your options or unsubscribe go to:
http://lists.wwpublish.com/mailman/listinfo/leninist-international
