!!!!!!!!!! <= PAS OP NIEUW VIRUS= >!!!!!!!!!!
Renato
=============================================
E-News: InoculateIT Personal Edition AntiVirus
Newsletter from Computer Associates
Version 00.63 | September 1, 2000
via www: http://esupport.ca.com
=============================================
Table of Contents
- Win32/MTX.A.Worm
- Free active protection against e-mail worms
- InoculateIT Personal Edition AntiVirus
Update Number 445 available
=============================================
Win32/MTX.A.Worm
=============================================
Win32/MTX.A.Worm
(also known as Win32.Mtx, W32/MYX@mm, W32/Apology,
W32/MTX, and I-Worm.MTX)
Mtx is a 32-bit virus which also has worm-like
behavior and drops a trojan.
When an infected executable is run, the virus
infects files in the Windows directory. Mtx
then unpacks and drops its worm component
twice in the Windows directory as files with
the following names:
"Ie_pack.exe"
"Win32.dll"
A trojan file named "Mtx_.exe" is also
dropped in the Windows directory and a
registry key which runs the trojan each time
Windows reboots is created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\SystemBackup = \MTX_.EXE
The trojan attempts to download and run files
from a website which may contain other
malicious programs. Next, the worm part is
launched and it creates a modified version of
Wsock32.dll and sets it to replace the
original version when Windows next reboots.
Once the original version is replaced, the
new Wsock32.dll intercepts information being
sent (by the send() function) from the
computer to the network. If it detects that
an e-mail is being sent, it will immediately
send another e-mail to the same recipient.
The e-mail is the same with the virus added
as an attachment to the e-mail. Because of a
bug in this code, it fails to attach itself
correctly. The attachment name is randomly
picked from a list of names within the code
(shown here in the same order as in the
infected file):
README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
F******_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif
Beyond this, the replacement Wsock32.dll
monitors the location of HTTP requests (web-
browsing) and also the address of e-mail
recipients. The program will crash if it
detects that the user is attempting to access
an anti-virus site or send e-mail to an anti-
virus company. It detects this communication
by searching for substrings and strings in
the domain name from the following lists:
NII.
nai.
avp.
AVP.
F-Se
f-se
mapl
pand
soph
ndmi
afee
yenn
lywa
tbav
yman
wildlist.o
il.esafe.c
perfectsup
complex.is
HiServ.com
hiserv.com
metro.ch>
beyond.com
mcafee.com
pandasoftw
earthlink.
inexar.com
comkom.co.
meditrade.
mabex.com>
cellco.com
symantec.c
successful
inforamp.n
newell.com
singnet.co
bmcd.com.a
bca.com.nz
trendmicro
sophos.com
maple.com.
netsales.n
f-secure.c
F-Secure.c
The virus contains the following ASCII text:
Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix