-Z- (z@gundam.com)
Mon, 8 Jan 2001 21:32:54 -0800


> -----Original Message-----
> From: owner-gundam@1u.aeug.org [mailto:owner-gundam@1u.aeug.org]On
> Behalf Of Lim Jyue
> Sent: Monday, January 08, 2001 07:53
> To: gundam@aeug.org
> Subject: [gundam] [Warning!] Probable Virus Was: Re:
>
>
> At 12:09 01/08/2001 +0100, changegetta@inwind.it wrote:
> >Attachment Converted: c:\eudora\attach\Geocities_Free_sites.TXT.pif
>
> This is probably a virus. I opened it in a text editor (suspicious
> sod that I am) and the content is pretty suspicious.
>
> I suggest, unless you know otherwise, to delete this immediately.

No "probably" about it. The attachment Geocities_Free_sites.TXT.pif was
infected with the W95.MTX.dr virus. Here are the gory details:

-------
W95.MTX
-------
Also known as: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll)
Discovered on August 17, 2000
W95.MTX has a virus component and a worm component. It propagates using email
and infects some Win32 executables in specific directories. The virus also has
the capability to block access to certain web sites, which may prevent you from
downloading new virus definitions.

Category: Worm, Virus
Infection length: 9250 (variable)
Virus definitions: August 28, 2000; last updated December 7, 2000
Number of infections: 50-999
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Difficult

Damage
------
Payload modifies files. Some infected files are corrupted beyond repair.

Distribution
------------
Subject of email: None
Name of attachment: Variable (see below)
Size of attachment: Variable
Target of infection: Windows executables
Time stamp of attachment: Immediately after a new email message is sent, a
second message is sent with no subject and the worm attached.

Worm component
--------------
The worm component makes a copy of WSOCK32.DLLl and names it WSOCK32.MTX. The
Send export function of this .MTX file is then modified to point to its own
code. This allows the virus to mail a copy of the worm infected with this virus
to the same person to whom the user sends an email (using the same program).

Here's a list of file names that this virus might use when it sends the infected
worm to other people. The .PIF extension might not be visible in your mail
program, so the file appears to be a .DOC, .EXE, .HTML, .JPG, .MP3, .SCR or .TXT
file.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

WININIT.INI is created by this component, which causes WSOCK32.DLL to be deleted
and WSOCK32.MTX to be renamed to WSOCK32.DLL. WININIT.INI executes after the
computer is restarted. After WININIT.INI is created, this component runs the
virus component.

Virus component
---------------
The virus component searches for specific antivirus programs running. If the
virus finds one, the virus does not run. If the virus continues to run, it
decompresses the worm component, drops a copy of it into the user's Windows
directory (typically C:\WINDOWS), and runs it. The name of this dropped file is
IE_PACK.EXE. After IE_PACK.EXE is executed, it's renamed WIN32.DLL.

The virus also drops MTX_.EXE and runs it. This is a downloader program that
goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are
downloaded and executed. It searches for Win32 executables in the current
directory, Windows directory, and the Temp directory. The file to be infected
needs to have a size that is not divisible by 101, is greater than 8K in size,
and has at least 20 import call instructions. If not, the file is not infected
by the virus.

The virus also adds a Registry entry that lets the downloader run automatically
every time the system is started. The downloader is invisible in the Task List.

Removal
-------
This is a complex and difficult virus to remove. It alters system files and on
some systems these files cannot be repaired. In some cases, after attempting to
repair the virus, you will not be able to start Windows until you restore the
needed system files from the original Windows installation CD.

CAUTION
-------
Windows 98 allows you to create a startup disk that contains both system files
and drivers that will work with most CD-ROMs. Windows 95 does not. Before you
start this procedure, you should create or obtain a Windows 98 Startup disk,
which can be used to boot a Windows 95 or a Windows 98 computer. If you don't
create this disk first, and the first part of the removal procedure does not
work on your system, you may not be able to restore some Windows files
thereafter.

NOTES
-----
Due to the nature of this virus, some files will not be repairable. The
unrepairable files must be restored from clean backup copies, or from the
original distribution disks.

To remove this threat you will need to carefully watch your antivirus program
during the detection process.

The files infected by the virus portion of W95.MTX should be detected as W95.MTX
and W95.MTX (.dll). Any files that are detected as being infected with either
W95.MTX or W95.MTX (.dll) should be able to be repaired.

Files that are part of the Trojan and worm part of the infection should be
detected as W95.MTX.dr. Any files detected as being infected with W95.MTX.dr
must be removed.

It's important to make the distinction between the virus and the worm
components, because the virus part of W95.MTX can infect Windows system files
and if you delete system files you might damage Windows.

-Z-

-Z-

-
Gundam Mailing List Archives are available at http://gundam.aeug.org/



This archive was generated by hypermail 2.0b3 on Tue Jan 09 2001 - 14:32:59 JST