F-Secure Virus Descriptions : MTX
|
|
|
The MTX worm has three components - worm, virus and backdoor.
It spreads under Win32 systems - the virus component infects
Win32 executable files, attempts to send e-mail messages with
infected attachments and installs the backdoor component to
download and spawn "plugins" on an affected system.
The virus has an unusual structure. It consists of three
different components that are run as standalone programs (Virus,
email Worm and Backdoor). The virus is the main component, it keeps
the worm and the backdoor programs in its code in compressed form.
While infecting the system, it extracts and spawns them:
The MTX worm-virus structure looks like this:
------------------
I The virus I --> installs Worm and Backdoor to the system,
I installation I then finds and infects Win32 executable files
I and infection I
I routines I
------------------
I Worm code I --> is extracted to file and run as stand-alone program
I (compressed) I
------------------
I Backdoor code I --> is extracted to file and run as stand-alone program
I (compressed) I
------------------
The worm code does not contain all the necessary routines to infect
the system where the infected e-mail (see below) is sent as an
attachment. The worm file is infected by the virus as an ordinary
file and then sent. The reason to use such a way is not clear.
Probably the components were written by different people.
The Virus component contains the following text strings:
SABIÁ.b ViRuS
Software provide by [MATRiX] VX TeAm: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz: All VX guy in #virus and Vecna for help us
Visit us at:
http://www.coderz.net/matrix
The worm component contains the following text strings:
Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix
The Backdoor contains the following text strings:
Software provide by [MATRiX] team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
Vecna 4 source codes and ideas
Virus Component
The virus component uses EPO (Entry Point Obscuring) technology
while infecting a file. This means that the virus does not affect
the file at its entry code, but places "Jump-to-Virus" instruction
somewhere in the middle of the file code section to make the
detection and disinfection procedures more complex. As a result
the virus is activated only if the corresponding affected
program's branch receives control.
The virus is also encrypted, so first of all it decrypts
itself when its code gets control. The virus then looks for
necessary Win32 API functions by scanning Win32 Kernel. The virus
tries Win9x, WinNT and Win2000 addresses to do this.
The virus then looks for anti-virus programs active in the system
and exits if any of them is detected. The list of anti-virus
programs the virus looks for is as follows:
AntiViral Toolkit Pro
AVP Monitor
Vsstat
Webscanx
Avconsol
McAfee VirusScan
Vshwin32
Central do McAfee VirusScan
Then the virus installs its components to the system. They are
decompressed installed to the Windows directory and then spawned.
Three files created in there with the hidden attribute set. Their
names are:
IE_PACK.EXE - pure Worm code
WIN32.DLL - Worm code infected by the virus
MTX_.EXE - Backdoor code
The virus then infects Win32 executable PE EXE files in current,
temporary, and Windows directories, and then exits.
Worm Component
The worm component uses technology that was first introduced by
Happy99/Ska Internet worm to send infected messages. The worm
affects WSOCK32.DLL file in the Windows system directory by appending
a component of its code to the end of the file and hooking the "send"
WSOCK32.DLL routine. As a result, the worm monitors all data
that is send from an affected computer to the Internet.
Usually WSOCK32.DLL file is in use at the moment the worm starts
and it is locked by Windows. To avoid that, the worm uses the
standard way: it creates a copy of the original WSOCK32.DLL with
the name WSOCK32.MTX, infects that copy and then writes "replace
original file with infected" instructions to the WININIT.INI file:
NUL=C:\WINDOWS\SYSTEM\WSOCK32.DLL
C:\WINDOWS\SYSTEM\WSOCK32.DLL=D:\WINDOWS\SYSTEM\WSOCK32.MTX
where "C:\WINDOWS\SYSTEM" is the name of the Windows system directory
and may differ depending on the name of the directory where Windows is
installed.
The infected WSOCK32 replaces the original one during the next reboot,
and the worm gets access to data that is sent from the infected
machine. The worm pays attention to the Internet sites (Web, ftp) that
are visited, as well as to e-mail messages that are sent from the
computer.
The most visible behaviour of the virus is that it stops
visiting several Internet sites and disables sending messages
to the same domains (they are anti-virus domain names).
The virus detects them by four-letter combinations:
nii.
nai.
avp.
f-se
mapl
pand
soph
ndmi
afee
yenn
lywa
tbav
yman
Furthermore, the worm does not allow user to send e-mail messages
to the following domains:
wildlist.o*
il.esafe.c*
perfectsup*
complex.is*
HiServ.com*
hiserv.com*
metro.ch*
beyond.com*
mcafee.com*
pandasoftw*
earthlink.*
inexar.com*
comkom.co.*
meditrade.*
mabex.com *
cellco.com*
symantec.c*
successful*
inforamp.n*
newell.com*
singnet.co*
bmcd.com.a*
bca.com.nz*
trendmicro*
sophos.com*
maple.com.*
netsales.n*
f-secure.c*
The worm also intercepts e-mail messages that are sent and attempts
to send a duplicate message with the infected attachment to the same
address (the same as "Happy99/Ska" worm does). As a result, victim
address should receive two messages: first is the original message
written by the sender, second is a message with empty subject and
text and attached file that has one of the names that are selected
by worm depending on current date:
README.TXT.pif
I_wanna_see_YOU.TXT.pif
MATRiX_Screen_Saver.SCR
LOVE_LETTER_FOR_YOU.TXT.pif
NEW_playboy_Screen_saver.SCR
BILL_GATES_PIECE.JPG.pif
TIAZINHA.JPG.pif
FEITICEIRA_NUA.JPG.pif
Geocities_Free_sites.TXT.pif
NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver.SCR
READER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
SEICHO-NO-IE.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
FUCKING_WITH_DOGS.SCR
MATRiX_2_is_OUT.SCR
zipped_files.EXE
BLINK_182.MP3.pif
The worm sends out the WIN32.DLL file that was dropped by the
virus component during MTX's first installation to the infected
system.
Note: the worm does not drop WIN32.DLL file, but uses that file
to attach it to messages that are sent. So the "pure worm" is not
able to spread more than once: when run on victim machine it
will infect WSOCK32.DLL, but will not able to send its copies
further. To "fix that problem" the worm sends its infected copy
(WIN32.DLL is the worm component infected by the virus component,
see above).
Fortunately, the known worm modification has a bug in its
spreading routine and the e-mail server fails to receive affected
messages from the infected machine. So, the known worm version cannot
be widely spread.
Backdoor Component
Being run, the backdoor component creates a new key in system
registry that indicates that the machine is already infected:
HKLM\Software\[MATRIX]
If this key exists, the Backdoor skips the installation
procedure. Otherwise it registers itself in auto-run section:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemBackup=%WinDir%\MTX_.EXE
where %WinDir% is Windows directory.
The backdoor then stays active in Windows as a hidden application
(service) and runs a routine that connects to some Internet server,
gets files from there and spawns them to the system. So the
Backdoor can infect the system with other viruses or install
trojan programs or more functional backdoors.
The backdoor in the known virus version has a bug that causes a
standard error message when the backdoor tries to access the
Internet site.
To disinfect the virus, worm and backdoor components, please use
the fresh version of F-Secure Anti-Virus with the latest updates.
http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml
If the F-Secure Anti-Virus for Windows is not able to remove one
of the dropped MTX components (in the case that the files are
locked by Windows), please download and run the following REG
file, restart your system and scan your hard drives again:
ftp://ftp.Europe.F-Secure.com/anti-virus/tools/mtxdisin.reg
You can also delete the following 3 components from your Windows
directory manually from DOS:
IE_PACK.EXE
WIN32.DLL
MTX_.EXE
Before doing the above procedure, make sure that all other
infected files are disinfected by FSAV.
Note that older versions of FSAV 5 might not detect MTX-infected
files exactly because the virus uses EPO (Entry Point Obscuring)
technique that was not supported by F-Prot engine at that time.
In this case it is advised to perform disinfection with AVP
engine only or to use a DOS-based scanner (see below).
You can also use a free version of F-Prot for DOS to remove MTX
from an infected system. It is a requirement to perform
disinfection from pure DOS. And it is advised to run the above
given REG file before exiting Windows.
ftp://ftp.europe.F-Secure.com/anti-virus/free/
ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/
The Windows WinSock library WSOCK32.DLL that is patched by MTX
should be restored from backups as the virus does not preserve
the original file.
[Eugene Kaspersky, KL; Alexey Podrezov; F-Secure Corp.; Sep 2000 - Jan 2001]
|
