Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help - we seem to have a caught a very strange virus.

1 view
Skip to first unread message

Orestes

unread,
Oct 17, 2000, 3:00:00 AM10/17/00
to
Through Outlook express of course.
Neither our trojan horse checker or virus checker managed to detect and
clean it. It came through an email with an attachment titled
"Is_Linux_good_enough.txt!.pif", which I absend-mindedly decided to save
and open, and it apparently causes us to send out an email Q1_test.exe to
anyone we email. (we actually caught it after our first email since it
bounced fortunately, and we don't dare click on that one)
The virus also appears to be shutting down our Internet Browsers
(Netscape and IE) whenever we try to visit a virus library to find out what
the @#$@#$#$l we are dealing with. Curiously, the browsers remain fully
functional when we visit any other type of site.
At this point, we don't dare shut our systems down, for fear that
something nasty would occur on reboot.
If anyone can provide any informaton, it would be much appreciated.

Jacob

Orestes

unread,
Oct 17, 2000, 3:00:00 AM10/17/00
to
WE have now found out the following:

Profile

Virus Name
W32/MTX@mm

Aliases
I-Worm.MTX
MTX_.exe

Variants
None

Description Added
8/24/00 1:18:15 PM

Virus Information

Discovery Date: 8/23/00
Origin: Germany
Length: 18,483 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Low
Minimum Engine: 4.0.70
Minimum Dat: 4093
DAT Release Date: 08/30/2000


Virus Characteristics
This virus was discovered by McAfee AVERT Aug 23,
2000.

This is a 32bit PE file infector for Windows 9x/NT
systems. This virus
modifies WSOCK32.DLL in an effort to hook SMTP traffic
as an attachment.
This virus searches for available shares through
Network Neighborhood in an
effort to transfer to host systems.

W32/MTX@MM is a combination of a Virus, Worm and
Backdoor.

-Worm/Backdoor part: As it has mailing capabilities
users may receive an
e-mail with a file attachment, the name of the
attachment is variable, but
it may be like: I_am_sorry_doc.pif, or
zipped_files.exe etc. Regardless of
the deceiving filename and extension, the attached
file as such is in fact
a 32 bit "pe" file. (Portable Excutable file, common
on win9x/winNT).

-Virus part: the virus also modified 32 bit pe files,
like .EXE and .DLL,
in the windows folder. It might search local mapped
drives for target files.

Symptoms
Existence of these files on the local system (Windows
folder):

IE_PACK.EXE
MTX_.EXE
WIN32.DLL
WSOCK32.MTX


The file WININIT.INI is modified to replace calling of
the regular
wsock32.dll with the dropped file wsock32.mtx after
next reboot.

When this virus sends itself via email, it could be
one of the following
file names, randomly picked:

ALANIS_Screen_Saver.SCR
ANTI_CIH.EXE
AVP_Updates.EXE
BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif
' FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif
FUCKING_WITH_DOGS.SCR
Geocities_Free_sites.TXT.pif
HANSON.SCR
I_am_sorry.DOC.pif
I_wanna_see_YOU.TXT.pif
INTERNET_SECURITY_FORUM.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
JIMI_HMNDRIX.MP3.pif
LOVE_LETTER_FOR_YOU.TXT.pif
MATRiX_2_is_OUT.SCR
MATRiX_Screen_Saver.SCR
Me_nude.AVI.pif
METALLICA_SONG.MP3.pif
NEW_NAPSTER_site.TXT.pif
NEW_playboy_Screen_saver.SCR
Protect_your_credit.HTML.pif
QI_TEST.EXE
READER_DIGEST_LETTER.TXT.pif
SEICHO-NO-IE.EXE
Sorry_about_yesterday.DOC.pif
TIAZINHA.JPG.pif
WIN_$100_NOW.DOC.pif
YOU_are_FAT!.TXT.pif
zipped_files.EXE


This virus creates these key:

HKLM\Software\[MATRiX]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemBackup = "C:\WINDOWS\MTX_.EXE"

Method Of Infection
When the user doubleclicks on the attached file,
several files are being
dropped.Dropped files (some are marked Hidden) may be
:

IE_PACK.EXE,
MTX_.EXE,
WIN32.DLL
WSOCK32.MTX


The file WININIT.INI is modified to replace calling of
the regular
wsock32.dll with the dropped file wsock32.mtx after
next reboot. MTX_.EXE
runs from the system registry at Windows startup and
is memory resident
when the virus is first executed on the system.

MTX_.EXE runs as a process and makes Internet calls
every 2 minutes on the
system in communication on TCP port 1137.

Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and
removal.

PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To
remove, boot to MS-DOS
mode or use an emergency boot diskette and use the
command line scanner
such as "SCANPM C: /CLEAN /ALL"

AVERT Recommended Updates:
Note1- Microsoft has released an update for

* Outlook to protect against "Malformed E-mail MIME
Header" vulnerability
at this link
Orestes <think...@dlcwest.com> wrote in message
news:39ebf...@news.newsdudes.com...

Orestes

unread,
Oct 17, 2000, 3:00:00 AM10/17/00
to
Could someone who runs Windows 98 please advise as to the contents of their
wininit.ini file,
asap? Thx.

Todder

unread,
Oct 17, 2000, 3:00:00 AM10/17/00
to
Orestes wrote:

I run Windows 98 and we don't have a wininit.ini file.


0 new messages