About MartNet MartNet Technical Support Yet Another MartNet Ad
Home Services Support Members Software Contact
Search Support
MartNet WebMail

MartNet WebAdmin

Dialup Access
  Numbers

Domain Name
  Management

MartNet News /
  Status Info

NOC / System Status


Support Topics:
 MartNet WebAdmin
 Dial-up
 Virtual Hosting
 Web Site Construction
 Unix / Linux
 E-Mail
 Internet Chat
 Game Server Services
 Misc. Stuff
 Policies / Legal





FAQ's:
 MartNet WebAdmin
 Dial-up
 Virtual Hosting
 E-Mail
 Game Server Services
 Misc. FAQ's

Links:
 Privacy and Security
 Dial-up
 Web Development
 E-Mail
 Unix / Linux
 Game Server Services
 Misc. Support Links




MartNet Policies
Billing Dept.

Check Domain
Availability:



MTX Virus Support
A simple fix for a common email virus

This is a fix for a common virus that we notice coming into our support mailbox.

What it does:

The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx.
The Send export function of this .mtx file is then modified to point to its own code.
This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email message (using the same program).

Here is a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

Virus component
The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll.

The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8 KB in size, and has at least 20 import call instructions. If not, the file is not infected by the virus.

The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is invisible in the Task List.

In order to fix this problem, check out this URL:

http://www.symantec.com/avcenter/venc/data/w95.mtx.fix.tool.html

This Web Site is proudly built upon an Open Source foundation:
Assembled with PHP Powered by Debian Linux Fueled by MySQL
Served by Apache

Home | Services | Support | Members | Software | Contact

MartNet - PO Box 42472 Philadelphia, PA 19101
Copyright 1996 - 2015 MartNet Communications LLC. All Rights Reserved.