Classification

Category :

Malware

Type :

Worm

Aliases :

Shatrix, I-Worm.Shatrix

Summary

Shatrix is a worm that spreads via the Internet being attached to infected emails. The worm also spreads over local network by copying to shared drives. The worm itself is a Windows PE EXE file about 380Kb of length, written in Delphi.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The infected messages have:

Subject: FW:Shake a little
Body:

Hi !

 This will shake your world :-)

 Regards,

 %username%
Attach:
SHAKE.EXE

where %username% is the name of user of an infected machine.

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.

While installing the worm copies itself to Windows system directory with the random name and registers that file in system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemInfo = %worm file name%

To send infected messages the worm uses MS Outlook MAPI. To get victim addresses the worm looks for and scans following files:

*.asp *.html *.htm

Depending on system date the worm creates random directories, drops HTML files with texts which are randomly constructed from strings:

MatriX is out there
MatriX has You...
MatriX is All around You
010011010110000101110100011100100110100101011000