Colds, Flu, and Virii Getting You Down?
By Fred Hume
Yup! 'Tis the season. Did you get your flu shot yet?? Yes, I know you're busy what with all the Holiday running around, buying presents, etc.
It's also the time of the year when you're probably going to get e-mails from people you haven't heard from in years and, some of those e-mails may have attachments. "Ok," you say, "I'll take a quick look at the attachments and reply to them all later."
Ha, ha! Joke's on you. One of them was a virus from a "well-meaning" friend who didn't know he was infected. Why am I ranting on this subject again?? Cause it's probably gonna happen. Not to all of you, but, I'll bet, to some of you.
Have you been "religiously" updating your anti-virus programs like I've recommended in the past? If not, I suggest you do, and soon. Here's why. There's a new little virus known as TROJ_MTX.A starting to make its presence known.
Now, thanks to Trend Micro (http://www.trendmicro.com), for the following information. Here's what you are looking for when people start calling you up to ask why you are spreading a virus.
The Troj_MTX.A virus is also known as MTX.A, W32/APOLOGY, W32/MTX, W32/APOLOGY-B, I-Worm.MTX
This backdoor Trojan infects EXE, SCR, CPL, and DLL files in the current and windows directory. On the next reboot WSOCK32.DLL is replaced with the copy infected by the Trojan. Due to this, the Trojan is able to monitor access to the Internet and the sending of email.
When an infected user sends an email to an address, the Trojan sends another email to the same address with itself as an attachment. The attachment is also a Trojan copy infected with the virus PE_MTX.A and its filename is randomly selected from the following:
I_wanna_see_YOU.TXT.pif, MATRiX_Screen_Saver.SCR,
LOVE_LETTER_FOR_YOU.TXT.pif, NEW_playboy_Screen_saver.SCR,
BILL_GATES_PIECE.JPG.pif,
NEW_NAPSTER_site.TXT.pif,READER_DIGEST_LETTER.TXT.pif,
WIN_$100_NOW.DOC.pif,YOU_are_FAT!.TXT.pif, FREE_xxx_sites.TXT.pif,
I_am_sorry.DOC.pif, Me_nude.AVI.pif,
Sorry_about_yesterday.DOC.pif, Protect_your_credit.HTML.pif,
HANSON.SCR, and others.
Another special characteristic of this virus is that it prevents access to anti-virus vendor Web sites by filtering the access to the sites that contain the following strings:
NII. nai. avp. AVP. f-se. F-Se mapl. pand. soph. ndmi. afee. yenn. lywa. tbav. yman.
It also prevents the infected user from sending email to the following domains:
wildlist.o* il.esafe.c* perfectsup* complex.is* hiserv.com* metro.ch* beyond.com* mcafee.com* pandasoftw* earthlink.* inexar.com* comkom.co.* meditrade.* mabex.com * cellco.com* symantec.c* successful* inforamp.n* newell.com* singnet.co* bmcd.com.a* bca.com.nz* trendmicro* sophos.com* maple.com.* netsales.n* F-Secure.c*
Here's how you can fix it if your anti-virus isn't current:
Solution:
1. Click START | Find
2. Search and delete the file WININIT.INI.
3. If you found WININIT.INI it means that the Trojan is not yet done patching WSOCK32.DLL. In this case, search and delete the file WSOCK32.MTX. Otherwise, restore the original WSOCK32.DLL by extracting the file from the Windows installation file or by getting a copy of this file from another machine (make sure this machine is virus free). Take note of the major and minor version.
4. Reboot the system in MS-DOS mode.
5. Go to the Windows directory and run the following commands:
attrib mtx_.exe -h
attrib Ie_pack.exe -h
attrib Win32.dll -h
You need to do this to remove the hidden attribute of the dropped files.
6. Restart Windows.
7. Remove any reference to the Trojan file in the system registry.
HKEY_LOCAL_MACHINE\Software\[MATRIX] (remove the whole key)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run SytemBackup = "%windir%\mtx_.exe"
8. Scan your system with your anti-virus and delete all files detected as TROJ_MTX.A. To do this you need the latest pattern file, (update), for your anti-virus software.
For more information, go to:
www.symantec.com/avcenter/index.html