TekWarrior- To Protect And Inform The Public

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

Main office

Home
Message board
Tech board

News Room

Breaking News
Recent Stories

Security Fortress

Security Home
Virus Central

Bug Alert

Bug Alert Home
Latest Bugs& Patches

Download Center

Latest Downloads
Browser & Add-ons
Compression
E-Mail
Financial
Graphics
Internet
Misc
Multimedia
PC Accelerators
Security/Antivirus
Utilities
Web Accelerators

Reviews

Software Reviews
Hardware Reviews
Miscellearnous Reviews

Site Resources

Archives
FAQ
Staff & Contact
Support Team

Virus Central - The Place for Virus Info

I.Worm.MTX

I-Worm.MTX =================

New worm I-Worm.MTX was found spreading through the Internet.
This worm, designed for Windows 95/98, comes as an e-mail with attached file with name
from following list:

README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
aMe_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif

Worm tries to confuse users by a trick with doubled file extension and
uses non-typical extensions for executables (as .PIF).
All these files are perfectly executable. When attached file is executed,
worm drops files mtx_.exe, ie_pack.exe and win32.dll into the
\WINDOWS directory and prepare modified copy of WSOCK32.DLL library with name
WSOCK32.MTX in \WINDOWS\SYSTEM directory. Then the worm creates file \WINDOWS\WININIT.INI which contains following commands: [Rename] NUL=C:\WINDOWS\SYSTEM\WSOCK32.DLL C:\WINDOWS\SYSTEM\WSOCK32.DLL=C:\WINDOWS\SYSTEM\WSOCK32.MTX
and writes into registry these two items HKLM\Software\[MATRiX] HKLM\Software\Microsoft\Windows\Current\Version\Run\SystemBackup=C:\WINDOWS\MTX_.EXE After next restart file WSOCK32.MTX is renamed to WSOCK32.DLL (as instructed in WININIT.INI file) and virus is activated. When virus is running it is able to infect other executable files by appending its body at the end of infected file (increasing last section). Call to virus body is not at program's entry point. Removing instructions: ---------------------- Restart the computer into DOS-mode and delete dropped files (mtx_.exe, ie_pack.exe and win32.dll in \WINDOWS directory). Replace infected files from backup.

Network

TekWebNetwork
Tekzone
Tekwarrior
TekWebDesign

Join Network:

Quick Bar

File of the week

IE 5.5

Free file

AdSubtract 1.66 SE

Beta releases

Paint Shop Pro 7 Beta

New releases

WinZip 8.0