Worm:W32/MTX

Classification

Category :

Malware

Type :

Worm

Aliases :

Worm:W32/MTX, W32/Apology, I-Worm.MTX

Summary

A standalone malicious program which uses computer or network resources to make complete copies of itself.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

You can also delete the following 3 components from your Windows directory manually from DOS:

  • IE_PACK.EXE
  • WIN32.DLL
  • MTX_.EXE

Before doing the above procedure, make sure that all other infected files are disinfected by FSAV.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The MTX worm has an unusual structure, as it consists of three different components that are run as standalone programs - worm, virus and backdoor. The MTX worm-virus structure looks like this:

------------------
I The virus I --> installs Worm and Backdoor to the system,
I installation I then finds and infects Win32 executable files
I and infection I
I routines I
------------------
I Worm code I --> is extracted to file and run as stand-alone program
I (compressed) I
------------------
I Backdoor code I --> is extracted to file and run as stand-alone program
I (compressed) I
------------------

The virus is the main component, keeping the worm and the backdoor programs in its code in compressed form. When the malware arrives on a new victim machine, the virus component installs the worm component, which spreads the malware on Win32 systems, by sending out email messages with infected attachments . Meanwhile, the virus install the backdoor component to download and spawn "plugins" on an affected system and infects Win32 executable files found.

The worm code does not contain all the necessary routines to infect the system where the infected email (see below) is sent as an attachment. The worm file is infected by the virus as an ordinary file and then sent. The reasoning for using this odd method is not clear. Probably the components were written by different people.

The Virus component contains the following text strings:

  • SABIÃ.b ViRuS
  • Software provide by [MATRiX] VX TeAm: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
  • Greetz: All VX guy in #virus and Vecna for help us
  • Visit us at:
  • http://www.coderz.net/matrix

The worm component contains the following text strings:

  • Software provide by [MATRiX] VX team:
  • Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
  • Greetz:
  • All VX guy on #virus channel and Vecna
  • Visit us: www.coderz.net/matrix

The Backdoor contains the following text strings:

  • Software provide by [MATRiX] team:
  • Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
  • Greetz:
  • Vecna 4 source codes and ideas

Virus Component

The virus component uses Entry Point Obscuring (EPO) technology while infecting a file. This means that the virus does not affect the file at its entry code, but places a "Jump-to-Virus" instruction somewhere in the middle of the file code section to make the detection and disinfection procedures more complex. As a result the virus is activated only if the corresponding affected program's branch receives control.

The virus is also encrypted, so first of all it decrypts itself when its code gets control. The virus then looks for necessary Win32 API functions by scanning Win32 Kernel. The virus tries Win9x, WinNT and Win2000 addresses to do this.

The virus then looks for anti-virus programs active in the system and exits if any of them is detected. The list of anti-virus programs the virus looks for is as follows:

  • AntiViral Toolkit Pro
  • AVP Monitor
  • Vsstat
  • Webscanx
  • Avconsol
  • McAfee VirusScan
  • Vshwin32
  • Central do McAfee VirusScan

Then the virus installs its components to the system. They are decompressed installed to the Windows directory and then spawned. Three files created in there with the hidden attribute set. Their names are:

  • IE_PACK.EXE - pure Worm code
  • WIN32.DLL - Worm code infected by the virus
  • MTX_.EXE - Backdoor code

The virus then infects Win32 executable PE EXE files in current, temporary, and Windows directories, and then exits.

Worm Component

The worm component uses technology that was first introduced by Happy99/Ska Internet worm to send infected messages. The worm affects WSOCK32.DLL file in the Windows system directory by appending a component of its code to the end of the file and hooking the "send" WSOCK32.DLL routine. As a result, the worm monitors all data that is send from an affected computer to the Internet.

Usually WSOCK32.DLL file is in use at the moment the worm starts and it is locked by Windows. To avoid that, the worm uses the standard way: it creates a copy of the original WSOCK32.DLL with the name WSOCK32.MTX, infects that copy and then writes "replace original file with infected" instructions to the WININIT.INI file:

  • NUL=C:\WINDOWS\SYSTEM\WSOCK32.DLL
  • C:\WINDOWS\SYSTEM\WSOCK32.DLL=D:\WINDOWS\SYSTEM\WSOCK32.MTX

where "C:\WINDOWS\SYSTEM" is the name of the Windows system directory and may differ depending on the name of the directory where Windows is installed.

The infected WSOCK32 replaces the original one during the next reboot, and the worm gets access to data that is sent from the infected machine. The worm pays attention to the Internet sites (Web, ftp) that are visited, as well as to email messages that are sent from the computer.

The most visible behaviour of the virus is that it stops visiting several Internet sites and disables sending messages to the same domains (they are anti-virus domain names). The virus detects them by four-letter combinations:

  • nii.
  • nai.
  • avp.
  • f-se
  • mapl
  • pand
  • soph
  • ndmi
  • afee
  • yenn
  • lywa
  • tbav
  • yman

Furthermore, the worm does not allow user to send email messages to the following domains:

  • wildlist.o*
  • il.esafe.c*
  • perfectsup*
  • complex.is*
  • HiServ.com*
  • hiserv.com*
  • metro.ch*
  • beyond.com*
  • mcafee.com*
  • pandasoftw*
  • earthlink.*
  • inexar.com*
  • comkom.co.*
  • meditrade.*
  • mabex.com *
  • cellco.com*
  • symantec.c*
  • successful*
  • inforamp.n*
  • newell.com*
  • singnet.co*
  • bmcd.com.a*
  • bca.com.nz*
  • trendmicro*
  • sophos.com*
  • maple.com.*
  • netsales.n*
  • f-secure.c*

The worm also intercepts email messages that are sent and attempts to send a duplicate message with the infected attachment to the same address (the same as "Happy99/Ska" worm does). As a result, victim address should receive two messages: first is the original message written by the sender, second is a message with empty subject and text and attached file that has one of the names that are selected by worm depending on current date:

  • README.TXT.pif
  • I_wanna_see_YOU.TXT.pif
  • MATRiX_Screen_Saver.SCR
  • LOVE_LETTER_FOR_YOU.TXT.pif
  • NEW_playboy_Screen_saver.SCR
  • BILL_GATES_PIECE.JPG.pif
  • TIAZINHA.JPG.pif
  • FEITICEIRA_NUA.JPG.pif
  • Geocities_Free_sites.TXT.pif
  • NEW_NAPSTER_site.TXT.pif
  • METALLICA_SONG.MP3.pif
  • ANTI_CIH.EXE
  • INTERNET_SECURITY_FORUM.DOC.pif
  • ALANIS_Screen_Saver.SCR
  • READER_DIGEST_LETTER.TXT.pif
  • WIN_$100_NOW.DOC.pif
  • IS_LINUX_GOOD_ENOUGH!.TXT.pif
  • QI_TEST.EXE
  • AVP_Updates.EXE
  • SEICHO-NO-IE.EXE
  • YOU_are_FAT!.TXT.pif
  • FREE_xxx_sites.TXT.pif
  • I_am_sorry.DOC.pif
  • Me_nude.AVI.pif
  • Sorry_about_yesterday.DOC.pif
  • Protect_your_credit.HTML.pif
  • JIMI_HMNDRIX.MP3.pif
  • HANSON.SCR
  • FUCKING_WITH_DOGS.SCR
  • MATRiX_2_is_OUT.SCR
  • zipped_files.EXE
  • BLINK_182.MP3.pif

The worm sends out the WIN32.DLL file that was dropped by the virus component during MTX's first installation to the infected system.

Note: the worm does not drop WIN32.DLL file, but uses that file to attach it to messages that are sent. So the "pure worm" is not able to spread more than once: when run on victim machine it will infect WSOCK32.DLL, but will not able to send its copies further. To "fix that problem" the worm sends its infected copy (WIN32.DLL is the worm component infected by the virus component, see above).

Fortunately, the known worm modification has a bug in its spreading routine and the email server fails to receive affected messages from the infected machine. So, the known worm version cannot be widely spread.

Backdoor Component

Being run, the backdoor component creates a new key in system registry that indicates that the machine is already infected:

  • HKLM\Software\[MATRIX]

If this key exists, the Backdoor skips the installation procedure. Otherwise it registers itself in auto-run section:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemBackup=%WinDir%\MTX_.EXE

where %WinDir% is Windows directory.

The backdoor then stays active in Windows as a hidden application (service) and runs a routine that connects to some Internet server, gets files from there and spawns them to the system. So the Backdoor can infect the system with other viruses or install trojan programs or more functional backdoors.

The backdoor in the known virus version has a bug that causes a standard error message when the backdoor tries to access the Internet site.