W95.MTX


Aliases: Email-Worm.Win32.MTX (Kaspersky Lab) is also known as: I-Worm.MTX (Kaspersky Lab), W95/MTX.gen@M (McAfee),   W95.MTX (Symantec),   Win95.Matrix.9245 (Doctor Web),   W32/Apology-B (Sophos),   Win32/MTX.A@m (RAV),  
Variants: PE_Mtx.A, W95/MTX, W32/MTX.9244.A, Win32:MTX-B, I-Worm/MTX.E 

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 17 Aug 2000
Damage: Medium

Characteristics: The W95.MTX program has a component of a virus and also a component of a worm. It spreads the email and also infects particular files that are executable.

More details about W95.MTX

The W95.MTX makes a replicate of the Wsock32.dll and then rename it as Wsock32.mtx. The function of the send export of the file .mtx will then changed to its own code. This permits the virus to send a replicate of the worm that is infected by the virus to the similar person where the user launches the email message by using similar program. The file names might be used in case it launches the infected worm to other clients. For the files having .pif extension, this might be invisible to pthe program of the mail. The list of the file names are the Love_letter_for_you.txt.pif, Feiticeira_nua.jpg.pif, I_wanna_see_you.txt.pif, Internet_security_forum.doc.pif, Reader_digest_letter.txt.pif, You_are_fat!.txt.pif, Alanis_screen_saver.scr, Geocities_free_sites.txt.pif, New_playboy_screen_saver.scr, Seicho_no_ie.exe, Bill_gates_piece.jpg.pif, Free_xxx_sites.txt.pif, Matrix_screen_saver.scr, Sorry_about_yesterday.doc.pif, F___ing_with_dogs.scr, I_am_sorry.doc.pif, New_napster_site.txt.pif, Protect_your_credit.html.pif, Win_$100_now.doc.pif, Jimi_hendrix.mp3.pif, Tiazinha.jpg.pif, and Zipped_files.exe.

Additional to the file names that it uses to send mails are the Metallica_song.mp3.pif, Matrix_2_is_out.scr, Is_linux_good_enough!.txt.pif, Me_nude.avi.pif, Blink_182.mp3.pif, Anti_cih.exe, Hanson.scr, Avp_updates.exe, and Qi_test.exe.The Wininit.ini is generated that will cause Wsock32.dll be eliminated and then the Wsock32.mtx will be renamed into Wsock32.dll. The Wininit.ini performs as the computer will be restarted. Sfter the Wininit.ini was generated, the component will then run the components of the virus. The component of the virus finds for the particular antivirus program that is running. If the virus found one of these, then the virus will not run. If it continues running, the component will be decompressed.