Win32:MTX
is the worm/virus/backdoor trojan in one program. It is able to spread under Win32 systems. It infects other programs, installs the backdoor trojan in order to download special plugins and also tries to send itself via e-mail and attached files.When executed, virus installs its Worm and Backdoor parts into the system.
These components are executed as standalone programs. It tries to detect
the
presence of several antivirus programs and if some of them is found, virus
does not spread on such system. After this check virus creates three files
in the Windows directory:
IE_PACK.EXE - contains the Worm part
WIN32.DLL - contains both Worm part
and complete virus
MTX_.EXE - contains the Backdoor
Trojan part
Virus then infects all PE files in the current and Windows directories.
The virus does not modify the entry point of the host program but places
the special jump instruction into the middle of host code. It tries to
make the its detection and disinfection more difficult.
Worm part uses the same technology as Win32:Ska to mail itself to other computers. It works with modified copy of WSOCK32.DLL file and has the control of what is accessed on the Internet or sent out vie e-mail. It blocks the access and message sending to several (antivirus) domains (nii, nai, avp, f-se, mapl, pand, soph, ndmi, afee, yenn, lywa, tbav, yman) and also disables any e-mail to the other domains (wildlist.o*, il.esafe.c*, perfectsup*, complex.is*, HiServ.com*, hiserv.com*, metro.ch*, beyond.com*, mcafee.com*, pandasoftw*, earthlink.*, inexar.com*, comkom.co.*, meditrade.*, mabex.com *, cellco.com*, symantec.c*, successful*, inforamp.n*, newell.com*, singnet.co*, bmcd.com.a*, bca.com.nz*, trendmicro*, sophos.com*, maple.com.*, netsales.n* and f-secure.c*).
Worm sends the above mentioned file WIN32.DLL in a separate message
to the all e-mail recipients. Such message has no subject and no text body
and attached file has one of the following names (PIF files are executed
by doubleclick!):
README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif
The Backdoor Trojan installs itself to the system via Registry manipulation
and then stays active as a service. It tries to download and install some
other programs from the Internet. The original version does not seem to
work correctly however. It uses the following Registry key to be executed
on every Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunSystemBackup
The virus part itself contains the following strings:
SABIÁ.b ViRuS
Software provide by [MATRiX] VX TeAm: Ultras, Mort, Nbk,
LOrd DArk, Del_Armg0, Anaktos
Greetz: All VX guy in #virus and Vecna for help us
Visit us at:
http://www.coderz.net/matrix
The worm part contains the following strings:
Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix
And the Backdoor Trojan part contains the following strings:
Software provide by [MATRiX] team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
Vecna 4 source codes and ideas
Any avast! with VPS file dated after 25th September 2000 is able to detect this virus.
