This MTX virus consists of three parts - worms, viruses, and latte programs. It spreads in 32-bit systems: virus part
Infected Win32 executable, attempt
Send E-mail with an infected attachment, install the rear door program part and implant the affected system.
This virus has an unusual structure. It contains three different parts (viruses, worms, latter doors). virus
Part is an important part, it will worm, the back door
The program code is placed in its code in a compressed format. When infected with the system, it decompresses them and implants the system.
The structure of the MTX virus looks like the following:
------------------
I the Virus I -> Install worms and back door programs to the system, then find and infect Win32 executable
file.
I Iinstallation I
I and infection i
I routines i
------------------
I Worm Code i -> User-running procedures
I (Compressed) i
------------------
I Backdoor Code I -> Used and acts as a separately running
I (Compressed) i
------------------
This worm does not include all the programs of the infection system, and the worm is used as a virus.
An ordinary file infection then sends.
The reason for using this way is not clear, and the program that may be part of this part is written.
The virus section contains the following text:
Sab.b Virus
Software Provide by [Matrix] VX Team: Ultras, Mort, NBK, Lord Dark,
Del_armg0, Anaktos
Greetz: All Vx Guy In #virus and vecna for Help US
Visit US AT:
http://www.coderz.neet/matrix
The worm part contains the following text:
Software Provide by [Matrix] VX Team:
Ultras, MORT, NBK, LORD DARK, DEL_ARMG0, ANAKTOS
Greetz:
All vx guy on #virus channel and vecna
Visit US: www.coderz.net/matrix
The back door portion contains the following text:
Software provide by [matrix] Team:
Ultras, MORT, NBK, LORD DARK, DEL_ARMG0, ANAKTOS
Greetz:
Vecna 4 Source Codes and Ideas
- Virus Component:
The virus portion uses EPO (ENTRY POINT OBSCURING) when infected files. This means this disease
The poison does not affect the file in the beginning of the code.
The "Jump to Virus" instructions is placed in the middle of the program, which makes the detection and disinfection process more complicated. The result is this
Virus only has the corresponding affected procedures
It is activated when it is controlled.
The virus is also encrypted, and it first encrypts it when its code gets control. Then by scanning Win
32 kernel Verify the necessary Win32API function.
It then finds an anti-virus program in the current system in an activation state, once you find any one, exit.
The anti-virus programs that the virus lookup include:
Antiviral Toolkit Pro
AVP Monitor
Vsstat
Webscanx
Avconsol
McAfee Virusscan
Vshwin32
Central Do McAfee Virusscan
The other part of the virus will then be installed in the system, which is uncompressed to the Windows directory. Generate three hidden properties in this directory
file:
IE_PACK.EXE - Pure Worm Code
Win32.dll - worm code infected by viral
MTX_.exe - Back door program code
The virus then infects the current, Win32 under Temporary and Windows directory executable PE EXE file, then
drop out.
- Worm Component
The technique used by the worm is the first time the first introducing the giving dyeing message main body when HAPPY99 / SKA. It passes
Add their code to Windows System
The tail of WSOCK32.DLL and always "send" WSOCK32.DLL in the directory. As a result, the
Worm surveillance all from this machine to
Data on the Internet. Typically, the WSOCK32.DLL file is used in the worm starts and is locked by the Windows
set. In order to avoid that, the worm uses
Standard mode: Create a copy of the original WSOCK32.DLL for WSOCK32.mtx, infecting this copy then
Wincinit.ini file written "Replace Ori_
GINAL FILE with INFECTED "Description ::
NUL = C: /Windows/system/wsock32.dll
C: /Windows/system/wsock32.dll=d: /windows/system/wsock32.mtx
The infected WSOCK32 will replace the original WSOCK32 file when restarting, worms access from this machine
The right of the data sent out. worm
Attention to the Internet Site (Web, FTP) that is visited while paying out the email.
The most intuitive behavior of this worm is to stop accessing some Internet sites, but also send E to the same domain.
Mail. It detects four alphanumeric combinations
The way to determine:
Nii.
Nai.
AVP.
F-se
Mapl
pand
SOPH
NDMI
Afee
Yenn
Lywa
TBAV
Yman
The worm also does not allow the user to send email to the following domain:
Wildlist.o *
Il.esafe.c *
Perfectsup *
Complex.is *
Hiserv.com *
Hiserv.com *
Metro.ch *
Beyond.com *
McAfee.com *
PandasoftW *
Earthlink. *
INEXAR.COM *
COMKOM.CO. *
Meditrade. *
Mabex.com *
Cellco.com *
Symantec.c *
Successful *
Inforamp.n *
Newell.com *
Singnet.co *
BMCD.com.a *
BCA.com.nz *
TrendMicro *
Sophos.com *
MAPLE.COM. *
Netsales.n *
F-secure.c *
The worm can also intercept the email message, then try to send another with the same address with dyed attachments.
Email. Result Email Address
Two emails will be received, the first seal is the sender's email, the second email theme and the body are empty but have one
Attachment, the name of the attachment is a worm
Current date selection:
Readme.txt.pif
I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
LOVE_LETTER_FOR_YOU.TXT.PIF
NEW_PLAYBOY_SCREEN_SAVER.SCR
BILL_GATES_PIECE.JPG.PIF
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pifNew_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
WIN_ $ 100_now.doc.pif
IS_LINUX_GOOD_ENUGH! .Txt.pif
Qi_Test.exe
AVP_UPDATES.EXE
Seicho-no-ie.exe
You_are_fat! .Txt.pif
Free_XXX_SITES.TXT.PIF
I_am_sorry.doc.pif
ME_NudE.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hmndrix.mp3.pif
Hanson.scr
Fucking_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
BLINK_182.MP3.PIF
- Backdoor Component
When running, the latter program creates a new system registration button indicating that the machine has been infected:
HKLM / Software / [Matrix]
If the registration button exists, the rear door program will ignore the installation process, otherwise it will automatically run the following:
HKLM / Software / Microsoft / Windows / CurrentVersion / Run
SystemBackup =% WINDIR% / MTX_.exe
% WINDIR% is a Windows directory.
This back-door program remains activated in Windows in a hidden application (service), and runs an example.
The lines are connected to some Internet services
On the server, get the file from there and implant them into the system. So the latter program can be used in other viral infections
Unit or install Trojan horse or other functions
A stronger back door program.