TekWarrior- To Protect And Inform The Public

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

Main office

Home
Message board
Tech board

News Room

Breaking News
Recent Stories

Security Fortress

Security Home
Virus Central

Bug Alert

Bug Alert Home
Latest Bugs& Patches

Download Center

Latest Downloads
Browser & Add-ons
Compression
E-Mail
Financial
Graphics
Internet
Misc
Multimedia
PC Accelerators
Security/Antivirus
Utilities
Web Accelerators

Reviews

Software Reviews
Hardware Reviews
Miscellearnous Reviews

Site Resources

Archives
FAQ
Staff & Contact
Support Team

Virus Central - The Place for Virus Info

W95.MTX

W95.MTX
Discovered on: August 17, 2000
Last Updated on: October 7, 2000 1:59:12 AM PST �

W95.MTX has a virus component and a worm component. It propagates using email. Also it infects some Win32 executables in specific directories. The virus also has the capability to block access to certain web sites. This may prevent users from downloading new virus definitions.

Also known as: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll)

Category: Worm, Virus Infection length: 9250 (variable)
Virus definitions: August 28, 2000
Threat assessment: Wild: High Damage: Medium Distribution: High
Wild Number of infections: 50-999 Number of sites: More than 10 Geographical distribution: High Threat containment: Moderate Removal: Difficult Damage Payload: Modifies files: Some infected files are corrupted beyond repair. Distribution Subject of e-mail: None Name of attachment: Variable (see below) Size of attachment: Variable Target of infection: Windows executables Time stamp of attachment: Immediately after a new email message is sent, a second message is sent with no subject and the worm attached.

Technical description: Worm component The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then modified to point to its own code. This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email (using the same program). Here are a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program. I_wanna_see_you.txt.pif Matrix_screen_saver.scr Love_letter_for_you.txt.pif New_playboy_screen_saver.scr Bill_gates_piece.jpg.pif Tiazinha.jpg.pif Feiticeira_nua.jpg.pif Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component. Virus component The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll. The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8K in size, and has at least 20 import call instructions. If not, the file is not infected by the virus. The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is invisible in the Task List. Removal: How to repair This is a complex and difficult virus to remove. It alters system files and on some systems these files cannot be repaired. In some cases, after attempting to repair the virus, you will not be able to start Windows until you restore the needed system files from the original Windows installation CD. This document assumes that you are familiar with basic Windows and DOS procedures. If you are not, we suggest that you obtain the services of a qualified computer consultant. CAUTION: Windows 98 allows you to create a startup disk that contains both system files and drivers that will work with most CD-ROMs. Windows 95 does not. Before you start this procedure, it is strongly recommended that you create or obtain a Windows 98 Startup disk. This can be used to boot a Windows 95 or a Windows 98 computer. If you do not create this disk first, and the first part of the removal procedure does not work on your system, you may not be able to restore some Windows files if this is needed. NOTES: Due to the nature of this virus, some files will not be repairable. The unrepairable files will need to be restored from clean backup copies, or from the original distribution disks. To remove this threat you will need to carefully watch Norton AntiVirus (NAV) during the detection process. The files infected by the virus portion of W95.MTX should be detected as W95.MTX and W95.MTX (.dll). Any files that are detected as being infected with either W95.MTX or W95.MTX (.dll) should be able to be repaired. Files that are part of the Trojan and worm part of the infection should be detected as W95.MTX.dr. Any files detected as being infected with W95.MTX.dr must be removed. It is important to make the distinction between the virus and the worm components, because the virus part of W95.MTX can infect Windows system files and if you delete system files you might damage Windows. To repair the damage done by this virus, follow in turn the instructions in each section. Create or obtain a Startup disk Before you begin the removal process, you must create or obtain a Windows 98 Startup disk. If you are running Windows 95, you may be able to obtain one from a local computer store. To create one on a Windows 98 computer, follow these steps: Click Start, point to Settings, and then click Control Panel. Double-click Add/Remove programs. Click the Startup disk tab. Place a new, formatted floppy disk in the floppy disk drive. Click Create Disk and follow the prompts. Ensure that you have the most recent virus definitions You must have Norton AntiVirus installed, and you must have virus definitions dated September 5, 2000 or later. If you do not, because this virus blocks access to most antivirus vendors Web sites, including Symantec's, you will not be able to run LiveUpdate or download the definitions from the SARC Web site. There are two ways to work around this: If you have access to an uninfected computer, download the most recent definitions from the SARC Web site, and then install the definition files on the infected computer. For instructions on how to do this, see the following documents: Title:How to update virus definition files using the Virus Definition Update Installer Document ID: 1998082013035306 Title:How to update virus definitions on computers without Internet or network connections. Document ID: 199811293832 If you do not have access to a uninfected computer, you can download the Virus Update Definition Installer from the Tucows Web site. Follow these steps to do this: Go to: http://www.tucows.com In the Search Software Library! box, type the following and then click GO!: norton dat Locate the entry--it should be the first in the list--for the Platform: Windows 95/98 and then click Download Now. Choose your region and state or locality and then click GO! Click the download site nearest your location. Download the file to a location on the hard drive such as the Windows desktop. When the download is finished, double click the file that you downloaded to install it. Restart the computer to a command prompt You need to restart the computer to a command prompt. Follow the steps for your operating system: How to start Windows 95 to a command prompt: Click Start and click Shut Down. The Shut Down Windows dialog box appears. Click Restart, then click Yes. Windows will shut down and the computer will restart. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears. Select "Command Prompt only" and press Enter. How to start Windows 98 to a command prompt: Click Start and click Shut Down. The Shut Down Windows dialog box appears. Click Restart, then click OK. Windows will shut down and the computer will restart. As the computer restarts, press and hold down the Ctrl key until the Windows 98 Startup Menu appears. Note: On some computers, a keyboard or other error may appear during restart as you hold down the Ctrl key. If so, then follow the prompts to press a key to continue (for example, the message may prompt you to press the Esc key), then immediately press the Ctrl key again. Select "Command Prompt only" and then press Enter. Delete the infected files Follow these steps to delete the infected files: NOTE: These instructions assume that you have Windows installed to the default of C:\. If you have Windows installed to a different location, please make the appropriate substitutions. Type each of the following commands and press Enter after each one: cd \windows attrib -r -s -h *.* del ie_pack.exe del win32.dll del mtx_.exe NOTE: If after entering any of these commands, you see a messages such as "File not found," type the command again to make sure that it was typed exactly as shown. For example, ie_pack.exe is "ie" then an underscore then "pack.exe" Type the following command and then press Enter after each one: dir /s \navdx.exe This will search the hard drive for the location of the Norton AntiVirus DOS scanner. If you have NAV installed to a different drive, changed to the root of that drive first. Write down the location that follows "Directory of," for example, C:\Progra~1\Norton~1. Change to the directory whose location you wrote down in the previous step by typing cd followed by the path. For example, to change to the default location shown in step 3, type the following command and then press Enter: cd \progra~1\norton~1 Type the following command and then press Enter: navdx /a /doallfiles /repair /delete This will scan all hard drives and files. NAV will attempt to repair any infected files; if it cannot repair an infected file, the file will be deleted. CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started. When the scan is finished, go on to the next section. Extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files This is necessary because these files have very likely been infected by the virus and are critical for accessing the Internet and using the computer. You need to use the Extract command at a DOS prompt to restore good copies of these files from the Windows installation files. There are two locations from which these files can be extracted: The Windows installation files on your hard drive. On many newer computers, the Cab files that contain the Windows installation files are stored on the computer's hard drive. If you are sure that this is the case, see the section How to extract files that are located on the hard drive. The Microsoft Windows 95/98 Installation CD. If you do not have the Cab files on the hard drive, see the section How to extract files that are located on the installation CD. How to extract files that are located on the hard drive Type the following and then press Enter: dir /s \precopy1.cab This will search the hard drive for the location of the Cab files. If the file is not found, it is likely that the Cab files are not on the hard drive. Skip to the section How to extract files that are located on the installation CD. Write down the location that follows "Directory of," for example, C:\Windows\Options\Cabs. Change to the directory whose location you wrote down in the previous step by typing cd followed by the path. For example, to change to the location shown in step 2, type the following command and then press Enter: cd \windows\options\cabs What you do next depends on which operating system you are using: NOTES: If after entering any of these commands, you see a messages such as "File not found," type the command again to make sure that it was typed exactly as shown. If you see a message asking if you want to overwrite a file, (Yes/No/All) type Y and then press Enter. If you have Windows installed to a different location, please make the appropriate substitutions. If you are using Windows 98, type the following commands and press Enter after each one: extract /a precopy1.cab wsock32.dll /l c:\windows\system extract /a win98_40.cab explorer.exe /l c:\windows extract /a win98_40.cab rundll32.exe /l c:\windows If you are using Windows 95, type the following commands and press Enter after each one: extract /a win95_10.cab wsock32.dll /l c:\windows\system extract /a win95_10.cab explorer.exe /l c:\windows extract /a win95_10.cab rundll32.exe /l c:\windows If you experience no error messages, then you are finished with the extraction process. Go on to the section Edit the registry. How to extract files that are located on the installation CD Insert the Windows 98 Startup disk in the floppy disk drive. Insert the Windows 98 installation Cd in the CD-ROM drive. Turn off the computer and wait thirty seconds. Turn on the computer. The computer will start to a startup menu. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter. Allow the computer to finish booting to a A: prompt. This could take a few minutes. The next step is to change to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is the D: drive in Windows, it will now be the E: drive. Type the following, changing the drive letter as necessary, and then press Enter: E:\Win98 (If the installation disk is for Windows 98) or E:\Win95 (If the installation disk is for Windows 95) If you see an error message, try retyping the command with a different drive letter, for example, F:\Win98. What you do next depends on which operating system you are using: NOTES: If after entering any of these commands, you see a messages such as "File not found," type the command again to make sure that it was typed exactly as shown. If you see a message asking if you want to overwrite a file, (Yes/No/All) type Y and then press Enter. If you have Windows installed to a different location, please make the appropriate substitutions. If you are using Windows 98, type the following commands and press Enter after each one: extract /a precopy1.cab wsock32.dll /l c:\windows\system extract /a win98_40.cab explorer.exe /l c:\windows extract /a win98_40.cab rundll32.exe /l c:\windows If you are using Windows 95, type the following commands and press Enter after each one: extract /a win95_10.cab wsock32.dll /l c:\windows\system extract /a win95_10.cab explorer.exe /l c:\windows extract /a win95_10.cab rundll32.exe /l c:\windows If you experience no error messages, then you are finished with the extraction process. Go on to the next section. Edit the registry Follow these steps to remove the entry that the virus added to the registry: CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows 95/98/NT registry before proceeding. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002. Remove the floppy disk from the floppy disk drive. If you extracted the files from the Installation CD, remove the CD from the CD-ROM drive. Turn off the computer and wait thirty seconds. Turn on the computer and allow Windows to start. NOTE: It is normal at this point for error messages to appear. They will refer to the virus files with messages such as "Windows cannot find..." Ignore these messages. They are the result of the remaining entries in the Windows registry that you will remove next. They do not indicate that the computer is still infected. Click Start, and then click Run. The Run dialog box appears. Type regedit and then click OK. The Registry Editor opens. Navigate to and select the following subkey: HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run Delete the following value in the right pane: SystemBackup C:\WINDOWS\MTX_.EXE Click Yes to confirm. Delete the following subkey: HKey_Local_Machine\Software\[Matrix] Click Yes to confirm. In the left pane, click the My Computer key. Click Edit and then click Find. In the Find what box, type mtx and then click Find Next. What you do will depend on whether any entries are found. If no entries are found that contain the string mtx, go on to the next step. If any entries are found, and they refer to MTX_.EXE, you should delete the entry. Because this is a string search, it could find entries for legitimate programs that happen to contain this string. Make sure that the references is to MTX_.EXE before you delete it. To continue the search if an entry is found, press F3. Keep doing this until no more entries are found. Repeat step 11, but this time search for [MATRIX]. Delete any entries that are found. Click the Registry menu, and then click Exit to save the changes and close the Registry Editor. Restart the computer.

Network

TekWebNetwork
Tekzone
Tekwarrior
TekWebDesign

Join Network:

Quick Bar

File of the week

IE 5.5

Free file

AdSubtract 1.66 SE

Beta releases

Paint Shop Pro 7 Beta

New releases

WinZip 8.0