Theos-Talk Archives (February 2001 Message tt00177)

Found on another list. I've received several copies of the
noted attachments.
-----------------------------------------------------------------------------
Fellow List Members,
Take heed to the following info I have gathered from
the recent file attachment going around on the list.
=====================Virus Found=======================
Scan Result:
Name of File: Sorry_about_yesterday.DOC.pif
Type of File: application/octet-stream
Scan Result: Virus W95.MTX.dr found. File NOT
cleaned.
This file is infected with a computer virus, a
program that can spread to many other files on your
computer and can delete files, steal sensitive
information, or render your machine unusable.
This attachment has a virus that may infect your
computer. It cannot be cleaned.
We recommend that you DO NOT download this attachment.
===================Virus Found========================
List Members,
If you've received a strange file attachement, do not
open it. Delete it at once. I received the same file
attachment last night and found it to be a virus.

This is a 32bit PE file infector for Windows 9x/NT systems. This
virus
modifies WSOCK32.DLL in an effort to hook SMTP traffic as an
attachment.
This virus searches for available shares through Network
Neighborhood in an
effort to transfer to host systems.
W32/MTX@MM is a combination of a Virus, Worm and Backdoor.
-Worm/Backdoor part: As it has mailing capabilities users may
receive an
e-mail with a file attachment, the name of the attachment is
variable, but
it may be like: I_am_sorry_doc.pif, or zipped_files.exe etc.
Regardless of
the deceiving filename and extension, the attached file as such
is in fact a
32 bit "pe" file. (Portable Excutable file, common on
win9x/winNT).
-Virus part: the virus also modified 32 bit pe files, like .EXE
and .DLL, in
the windows folder. It might search local mapped drives for
target files.
INDICATIONS OF INFECTION
Existence of these files on the local system (Windows folder):
IE_PACK.EXE
MTX_.EXE
WIN32.DLL
WSOCK32.MTX
The file WININIT.INI is modified to replace calling of the
regular
wsock32.dll with the dropped file wsock32.mtx after next reboot.
When this virus sends itself via email, it could be one of the
following
file names, randomly picked:
ALANIS_Screen_Saver.SCR
ANTI_CIH.EXE
AVP_Updates.EXE
BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif
' FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif
FUCKING_WITH_DOGS.SCR
Geocities_Free_sites.TXT.pif
HANSON.SCR
I_am_sorry.DOC.pif
I_wanna_see_YOU.TXT.pif
INTERNET_SECURITY_FORUM.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
JIMI_HMNDRIX.MP3.pif
LOVE_LETTER_FOR_YOU.TXT.pif
MATRiX_2_is_OUT.SCR
MATRiX_Screen_Saver.SCR
Me_nude.AVI.pif
METALLICA_SONG.MP3.pif
NEW_NAPSTER_site.TXT.pif
NEW_playboy_Screen_saver.SCR
Protect_your_credit.HTML.pif
QI_TEST.EXE
READER_DIGEST_LETTER.TXT.pif
SEICHO-NO-IE.EXE
Sorry_about_yesterday.DOC.pif
TIAZINHA.JPG.pif
WIN_$100_NOW.DOC.pif
YOU_are_FAT!.TXT.pif
zipped_files.EXE
This virus creates these key:
HKLM\Software\[MATRiX]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemBackup = "C:\WINDOWS\MTX_.EXE"
Method Of Infection
When the user doubleclicks on the attached file, several files
are being
dropped.Dropped files (some are marked Hidden) may be :
IE_PACK.EXE,
MTX_.EXE,
WIN32.DLL
WSOCK32.MTX
The file WININIT.INI is modified to replace calling of the
regular
wsock32.dll with the dropped file wsock32.mtx after next reboot.
MTX_.EXE
runs from the system registry at Windows startup and is memory
resident when
the virus is first executed on the system.
MTX_.EXE runs as a process and makes Internet calls every 2
minutes on the
system in communication on TCP port 1137.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Windows 95/98 systems require rebooting to MS-DOS mode and
scanning with the
command line scanner SCANPM in order to clean such files as
EXPLORER.EXE and
TASKMON.EXE.
The WSOCK32.DLL file can be restored from backup. This can be
done by:
Windows 98/2000/ME
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse
to the
Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining prompts
Wsock32.dll file exists within the Precopy1.cab cabinet file on
the Windows
98 CD-ROM.
Windows95
WSOCK32.DLL can be found in the following CAB files:
Win95_11.cab on the Windows 95 CD-ROM
Win95_18.cab on the Windows 95 OSR2 CD-ROM
Win95_12.cab on the Windows 95 DMF disks
Win95_19.cab on the Windows 95 non-DMF disks
Below is an example for standard Windows 95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB
WSOCK32.DLL /L
C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L
C:\WINDOWS\SYSTEM Where D:
is your CD-ROM drive
WindowsNT 4.0
Rename the Wsock32.dll file in the Windows\System32 folder to
Wsock32.old.
For information about how to rename a file, click Start, click
Help, click
the Index tab, type renaming, and then double-click the
''Renaming files''
topic.
Click Start, point to Programs, and then click Command Prompt.
Type cd\, and then press ENTER.
Insert the Windows NT CD-ROM into the CD-ROM drive, and then
close the
Windows NT screen if it appears.
Type the following line at the command prompt, and then press
ENTER.
expand <drive>:\i386\wsock32.dl_
c:\<windows>\system32\wsock32.dll where <drive> is
the drive
letter assigned to your CD-ROM drive, and where <windows>
is the name
of the folder in which Windows NT is installed.
Type exit, and then press ENTER to return to windows.
Virus Information
Discovery Date: 8/23/00
Origin: Germany
Length: 18,483 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium
Aliases
BackDoor.Matrix.6144, I-Worm.MTX, I-Worm.MTX.b, MTX_.exe,
PE_MTX.A,
TROJ_MTX.A, TROJ_MTX.B, TROJ_MTX.D, W32/Apology, W32/Apology-B,
W32/MTX.gen@M, W32/MTX@M, W32/Sabi.Ins, W95.MTX, W95.MTX.dr,
W95/MTX.9244,
W95/MTX.dll@M, W95/MTX.svr, W95/MTX@M, Win95.Matrix.9216