Virus Profile: W95/MTX.gen@M

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/23/2000
Date Added: 8/24/2000
Origin: Germany
Length: 18,483 bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4093
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The virus has the ability to block access to certain anti-virus web sites. When attempt is made to access those sites, your web browser may crash.

Existence of these files on the local system (Windows folder):

IE_PACK.EXE
MTX_.EXE
WIN32.DLL
WSOCK32.MTX

The file WININIT.INI is modified to replace calling of the regular wsock32.dll with the dropped file wsock32.mtx after next reboot.

When this virus sends itself via email, it could be one of the following file names, randomly picked (note that some of these filenames are also associated with other threats, such as W32/Badtrans@MM):

ALANIS_Screen_Saver.SCR
ANTI_CIH.EXE
AVP_Updates.EXE
BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif
' FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif
FUCKING_WITH_DOGS.SCR
Geocities_Free_sites.TXT.pif
HANSON.SCR
I_am_sorry.DOC.pif
I_wanna_see_YOU.TXT.pif
INTERNET_SECURITY_FORUM.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
JIMI_HMNDRIX.MP3.pif
LOVE_LETTER_FOR_YOU.TXT.pif
MATRiX_2_is_OUT.SCR
MATRiX_Screen_Saver.SCR
Me_nude.AVI.pif
METALLICA_SONG.MP3.pif
NEW_NAPSTER_site.TXT.pif
NEW_playboy_Screen_saver.SCR
Protect_your_credit.HTML.pif
QI_TEST.EXE
READER_DIGEST_LETTER.TXT.pif
SEICHO-NO-IE.EXE
Sorry_about_yesterday.DOC.pif
TIAZINHA.JPG.pif
WIN_$100_NOW.DOC.pif
YOU_are_FAT!.TXT.pif
zipped_files.EXE

This virus creates these key:

HKLM\Software\[MATRiX]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemBackup = "C:\WINDOWS\MTX_.EXE"

Methods of Infection

When the user doubleclicks on the attached file, several files are being dropped.Dropped files (some are marked Hidden) may be :

IE_PACK.EXE,
MTX_.EXE,
WIN32.DLL
WSOCK32.MTX

The file WININIT.INI is modified to replace calling of the regular wsock32.dll with the dropped file wsock32.mtx after next reboot. MTX_.EXE runs from the system registry at Windows startup and is memory resident when the virus is first executed on the system.

MTX_.EXE runs as a process and makes Internet calls every 2 minutes on the system in communication on TCP port 1137.

Aliases

BackDoor.Matrix.6144, I-Worm.MTX, I-Worm.MTX.b, MTX_.exe, PE_MTX.A, TROJ_MTX.A, TROJ_MTX.B, TROJ_MTX.D, W32/Apology, W32/Apology-B, W32/MTX.gen@M, W32/MTX@M, W32/Sabi.Ins, W95.MTX, W95.MTX.dr, W95/MTX.9244, W95/MTX.dll@M, W95/MTX.svr, W95/MTX@M, Win95.Matrix.9216
   

Virus Characteristics

Update - November 30, 2000:
AVERT recommends all users add .PIF extension to enable scanning some forms of this threat as well as other threats which use .PIF techniques.

Update - September 19, 2000:
McAfee AVERT has raised the ARA for this virus from Low to Medium based on customer samples received to date.

Removal of this virus requires 4095 DAT files. This virus was discovered by McAfee AVERT Aug 23, 2000.

This is a 32bit PE file infector for Windows 9x/NT systems. This virus modifies WSOCK32.DLL in an effort to hook SMTP traffic as an attachment. This virus searches for available shares through Network Neighborhood in an effort to transfer to host systems.

W32/MTX@M is a combination of a Virus, Worm and Backdoor.

-Worm/Backdoor part: As it has mailing capabilities users may receive an e-mail with a file attachment, the name of the attachment is variable, but it may be like: I_am_sorry_doc.pif, or zipped_files.exe etc. Regardless of the deceiving filename and extension, the attached file as such is in fact a 32 bit "pe" file. (Portable Excutable file, common on win9x/winNT).

-Virus part: the virus also modified 32 bit pe files, like .EXE and .DLL, in the windows folder. It might search local mapped drives for target files.

When this virus sends itself via email, it could be one of the following file names, randomly picked (note that some of these filenames are also associated with other threats, such as W32/Badtrans@MM):

ALANIS_Screen_Saver.SCR
ANTI_CIH.EXE
AVP_Updates.EXE
BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif
' FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif
FUCKING_WITH_DOGS.SCR
Geocities_Free_sites.TXT.pif
HANSON.SCR
I_am_sorry.DOC.pif
I_wanna_see_YOU.TXT.pif
INTERNET_SECURITY_FORUM.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
JIMI_HMNDRIX.MP3.pif
LOVE_LETTER_FOR_YOU.TXT.pif
MATRiX_2_is_OUT.SCR
MATRiX_Screen_Saver.SCR
Me_nude.AVI.pif
METALLICA_SONG.MP3.pif
NEW_NAPSTER_site.TXT.pif
NEW_playboy_Screen_saver.SCR
Protect_your_credit.HTML.pif
QI_TEST.EXE
READER_DIGEST_LETTER.TXT.pif
SEICHO-NO-IE.EXE
Sorry_about_yesterday.DOC.pif
TIAZINHA.JPG.pif
WIN_$100_NOW.DOC.pif
YOU_are_FAT!.TXT.pif
zipped_files.EXE

   
Use specified engine and DAT files for detection and removal.

Windows 95/98 systems require rebooting to MS-DOS mode and scanning with the command line scanner SCANPM in order to clean such files as EXPLORER.EXE and TASKMON.EXE. Use the command line scanner such as
"SCANPM.EXE C: /CLEAN /ALL"

The WSOCK32.DLL file can be restored from backup. This can be done by:

Use SFC to recover WSOCK32.DLL using instructions below for Windows 98/ME.

Windows 98/ME
- (Win98 only) Click the START MENU|RUN, type SFC and click OK. Choose Extract one file from the installation disk
- (WinME only) Click the START MENU|RUN, type MSCONFIG and click OK. Click the EXTRACT FILE... button
(Both Win98/ME)
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the Win98 (or WinME) directory on your Windows CD-ROM
- Click OK and follow remaining prompts

Wsock32.dll file exists within the Precopy1.cab cabinet file on the Windows CD-ROM.

Windows 95
WSOCK32.DLL can be found in the following CAB files:
Win95_11.cab on the Windows 95 CD-ROM
Win95_18.cab on the Windows 95 OSR2 CD-ROM
Win95_12.cab on the Windows 95 DMF disks
Win95_19.cab on the Windows 95 non-DMF disks

Below is an example for standard Windows 95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
- Insert your Windows 95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM Where D: is your CD-ROM drive

Windows NT/2000
Rename the Wsock32.dll file in the Winnt\System32 folder to Wsock32.old.

For information about how to rename a file, click Start, click Help, click the Index tab, type renaming, and then double-click the ''Renaming files'' topic.

Click Start, point to Programs, and then click Command Prompt.

Type cd\, and then press ENTER.

Insert the Windows CD-ROM into the CD-ROM drive, and then close the Startup Screen if it appears.

Type the following line at the command prompt, and then press ENTER.

expand <drive>:\i386\wsock32.dl_ c:\<windows>\system32\wsock32.dll where <drive> is the drive letter assigned to your CD-ROM drive, and where <windows> is the name of the folder in which Windows is installed.

Type exit, and then press ENTER to return to Windows.

Additional Windows ME information:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.