Win32/MTX

Win32/MTX is one of the most complex recent computer infiltrations. It combines a virus, worm, backdoor ftp server, a script for MIRC and PIRCH IRC clients. MATRix, an international virus group was identified as the author of this malicious infiltration.
The worm installs itself into the system replacing wsock.dll - an important system file. To do this, the worm first creates an infected copy of the file with a different name: wsock32.mtx. Using the system registry, the activation of the new file triggered upon the new system start up. The worm than takes over the control over the sent mail. Any message sent is accompanied by another infected one. The infected message has the same Subject field, an empty body, and an infected attachment. The name of the attachment is selected out of the following 31 candidates:

README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
FREE_yahoo-email.DOC.pif
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
I_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif

An interesting, but willful is the fact, that the infiltration increases its survival chances by prohibiting access to certain web-pages containing strings of characters that are, in fact, part of the names of some antivirus developers!
Another, somewhat "along the same line" active-defence feature of this infiltration is blocking of the possibilities to send e-mail to some antivirus developers/sites from an infected machine.
The body of the worm contains the following text:

Software provided by [MATRiX] VX team:
Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix

The virus code itself is encrypted. After it is executed, it installs itself into the system and attacks the Portable Executable (PE) files with extensions EXE, DLL, SCR a OCX in the current directory, the temporary directory and the one where the Windows installation is located.
The plug-in for IRC clients (MIRC and PIRCH) provides spreading environment when certain keywords (e.g. worm, virus, file, exe) are used.
Four variants of this infiltration were identified so far and the spreading of the epidemics continues.

CLEANING COMPUTER AFTER WIN32/MTX INFECTION

MTX virus/worm is one of the most sophisticated and complex computer infection. For detailed description, please, check the Virus News section of our web page.

Cleaning of the damages requires several step process. Both Windows and MS DOS versions of NOD32 Antivirus System need to be used and cleaning is performed in both Windows and MS-DOS modes. Rebooting of your computer in MS-DOS mode is required. Detailed description of the steps is listed below.

Cleaning procedures:

1. in the first step, the mtxclean.exe file need to be downloaded and executed. To do that:
   1. Click at the following link: (mtxclean.exe) to download this file
   2. Double click at the downloaded file to execute it. (If the file was successfully executed, the following message will be displayed: “Registry has been successfully repaired”.
2. download the Windows version of the NOD32 Antivirus System,
   1. install NOD32 – windows version (enter Eset’s website and follow the instructions; it is recommended to select the suggested settings)
   2. have your computer scanned with this version. To do this:
      1. click at Start button (lower left-side of the screen)
      2. select Programs
      3. select Eset
      4. click at NOD32 (blue cross icon) Most of the infected files will be cleaned, however, some will be shown (in the Log file) as "write protected" or "Locked".
   3. Close the NOD32 windows scanner.
3. download the NOD32DOS (version of NOD32 for MS-DOS) - from our website (www.nod32.com).
   To do this:
   1. log on to internet
   2. start your browser (e.g. Microsoft Explorer)
   3. in the dialog line enter Eset’s address: www.nod32.com
   4. click at the Download button (upper left-hand side of the screen
   5. click at the Download button next to the NOD32DOS version of NOD32
   6. enter your username and password and click at the download button; a new window will open with two options: a/ run this program from its current location and, b/ save this program to disk. The second option is set as a default.
   7. Click at OK button. A new window will open;
   8. using the pull down selection menu of the "Save in:" line, select the Desktop; the default name of the file in the File name: field reads: noddsen
   9. click at Save button; this will initiate transfer of the MS-DOS version of NOD32 to your machine. After the transfer is completed, close the window by clicking at Close button.
4. Installation of NOD32DOS on your computer
   On your computer main screen (the Desktop), click double click at the NODDSEN icon. This will A new window with Eset logo will open. To continue file extraction, press any key. The first line in the window will read: ”Verifying authenticity information ... OK” and the word ”DONE” will indicate the successful completion of the installation of the MS-DOS version of NOD32 system.
5. Your computer must be restarted in the DOS mode
   1. close the installation window (click at the x in the upper right-hand corner of the window)
   2. click at the Start button in the lower left hand corner of your computer screen
   3. select Shut Down command from the menu
   4. select Restart in MS-DOS mode; this will cause your screen to go black and a cursor will appear
6. Running NOD32DOS in the DOS mode and cleaning the damaged files
   1. in the cursor line, enter the following command:
      c:\windows\desktop\dos32e\nod32dos.exe
      (the users of the evaluation version, please, see the note at the bottom)
   2. the new window – the graphical interface of NOD32DOS will open; press the Tab key on your keyboard once – to highlight the Clean button in the bottom section of the window
   3. press Enter key on your, to start scanning your fixed media drives
   4. after the cleaning is over (may take several minutes) close the window
   5. restart your computer (e.g. press Ctrl-Alt-Del keys concurrently).

In the windows mode, run the NOD32 scanner again. If the cleaning was done correctly, no viruses will be detected. In case of problems, please contact us at: support@nod32.com.

NOTEs:

• If you don’t want to save the noddsen file (the DOS version of NOD32) on your desktop, you may choose to select a different directory. In such case, however, you need to remember the path of the nod32dos.exe file. This file is extracted into the dos32e directory, located in the directory where the self-extracting archive (noddsen.exe) was downloaded.
• described procedure works with evaluation/trial versions of NOD32, however, the command in section 6.1.1 is different and it reads: c:\windows\desktop\dos32\nod32dos.exe