Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/MTX

This is one of the most complex computer infiltrations of the recent time. The infiltration consists of a virus, a worm, a backdoor ftp server, script for IRC clients MIRC and PIRCH. Its author is the international virus group MATRiX.
The worm gets installed into the system instead of the file wsock32.dll – it creates its infected copy and names it temporary as wsock32.mtx. By means of the system registry it ensures its activation at the next system restart. The worm takes over control of sending out the electronic mail. It sends to addresses to which the mail was sent before one more message with identical name but with empty body and with an attachment. It chooses the name of the attachment from the following 31 options:

README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
FREE_yahoo-email.DOC.pif
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
I_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif

A very interesting activity of the worm is its struggle for survival – it does not permit access to the Internet pages containing the following strings in their addresses:

NAI.
nai.
avp.
AVP.
F-Se
f-se
mapl
pand
soph
ndmi
afee
yenn
lywa
tbav
yman

By this procedure it prevents access to pages of companies producing anti-virus programs Mcaffe Scan, AVP, F-secure Antivirus, Panda Antivirus, Sophos Sweep, TBAV, Symantec Norton Antivirus, Cheyene Inoculan, Trendmicro PCcilin. Approach to the pages of the company ESET Ltd. and ESET LLC is not influenced. Access to all abovementioned pages is possible only through numerical IP addresses. You can find them on pages www.coderz.net/matrix where originally page of the virus group Matrix used to be. In connection with violation of rules on furnishing a web space the server provider cancelled this page and opened lines to blocked pages.
Another active defence of the virus consists in disabling the possibility to send out an e-mail to companies offering anti-virus programs. This is done by searching for strings from the following list in the addresses to which the message is to be sent:

wildlist.o
il.esafe.c
perfectsup
complex.is
HiServ.com
hiserv.com
metro.ch>
beyond.com
mcafee.com
pandasoftw
earthlink.
inexar.com
comkom.co.
meditrade.
mabex.com>
cellco.com
symantec.c
successful
inforamp.n
newell.com
singnet.co
bmcd.com.a
bca.com.nz
trendmicro
sophos.com
maple.com.
netsales.n
f-secure.c
F-Secure.c

The worm contains the following text:

Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix

The backdoor component of this infiltration installs the ftp server (file MTX_.EXE) which enables downloading and installation of files and/or plugins from specific Internet sites. The backdoor contains the following text string:

Software provide by [MATRiX] team:
Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos
Greetz:
Vecna 4 source codes and ideas

The virus component of the infiltration utilises technology known as Entry Point Obscuring – unlike a classical virus it does not redirect the address of the program execution to its code but it inserts a jump to an appropriate point of the program. The aim of this method is to make detection by anti-virus programs as difficult as possible. The virus component contains the following text:

SABIÁ ViRuS
Software provide by
[MATRiX] VX TeAm: Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos
Greetz: All VX guy in #virus and Vecna for help us
Visit us at:
http://www.coderz.net/matrix

The virus code itself is encrypted and will not be activated in presence of the following anti-virus programs:

AntiViral Toolkit Pro
AVP Monitor
Vsstat
Webscanx
Avconsol
McAfee VirusScan
Vshwin32
Central do McAfee VirusScan

As NOD is not included among the selected programs it offers protection against the virus. After the virus is run it gets installed into the system and attacks files of the type Portable Executable with extensions EXE, DLL, SCR and OCX in the current directory, in temporary directory and in the directory where Windows are installed.
Plugin for IRC clients MIRC and PIRCH ensures spreading of the infiltration when specific key words on IRC are used. When for example words containing strings worm, virus, file, exe, src are used plugin for MIRC will ignore the person who used them.
By now 4 variants of the infiltration were successfully identified. The infiltration is commonly present among users. Fortunately, its spreading is limited by numerous errors in its code.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.