The MTX worm has an unusual structure, as it consists of three different components that are run as standalone programs - worm, virus and backdoor. The MTX worm-virus structure looks like this:
I The virus I --> installs Worm and Backdoor to the system,
I installation I then finds and infects Win32 executable files
I and infection I
I routines I
I Worm code I --> is extracted to file and run as stand-alone program
I (compressed) I
I Backdoor code I --> is extracted to file and run as stand-alone program
I (compressed) I
The virus is the main component, keeping the worm and the backdoor programs in its code in compressed form. When the malware arrives on a new victim machine, the virus component installs the worm component, which spreads the malware on Win32 systems, by sending out email messages with infected attachments . Meanwhile, the virus install the backdoor component to download and spawn "plugins" on an affected system and infects Win32 executable files found.
The worm code does not contain all the necessary routines to infect the system where the infected email (see below) is sent as an attachment. The worm file is infected by the virus as an ordinary file and then sent. The reasoning for using this odd method is not clear. Probably the components were written by different people.
The Virus component contains the following text strings:
- SABIÃ.b ViRuS
- Software provide by [MATRiX] VX TeAm: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
- Greetz: All VX guy in #virus and Vecna for help us
- Visit us at:
The worm component contains the following text strings:
- Software provide by [MATRiX] VX team:
- Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
- All VX guy on #virus channel and Vecna
- Visit us: www.coderz.net/matrix
The Backdoor contains the following text strings:
- Software provide by [MATRiX] team:
- Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
- Vecna 4 source codes and ideas
The virus component uses Entry Point Obscuring (EPO) technology while infecting a file. This means that the virus does not affect the file at its entry code, but places a "Jump-to-Virus" instruction somewhere in the middle of the file code section to make the detection and disinfection procedures more complex. As a result the virus is activated only if the corresponding affected program's branch receives control.
The virus is also encrypted, so first of all it decrypts itself when its code gets control. The virus then looks for necessary Win32 API functions by scanning Win32 Kernel. The virus tries Win9x, WinNT and Win2000 addresses to do this.
The virus then looks for anti-virus programs active in the system and exits if any of them is detected. The list of anti-virus programs the virus looks for is as follows:
- AntiViral Toolkit Pro
- AVP Monitor
- McAfee VirusScan
- Central do McAfee VirusScan
Then the virus installs its components to the system. They are decompressed installed to the Windows directory and then spawned. Three files created in there with the hidden attribute set. Their names are:
- IE_PACK.EXE - pure Worm code
- WIN32.DLL - Worm code infected by the virus
- MTX_.EXE - Backdoor code
The virus then infects Win32 executable PE EXE files in current, temporary, and Windows directories, and then exits.
The worm component uses technology that was first introduced by Happy99/Ska Internet worm to send infected messages. The worm affects WSOCK32.DLL file in the Windows system directory by appending a component of its code to the end of the file and hooking the "send" WSOCK32.DLL routine. As a result, the worm monitors all data that is send from an affected computer to the Internet.
Usually WSOCK32.DLL file is in use at the moment the worm starts and it is locked by Windows. To avoid that, the worm uses the standard way: it creates a copy of the original WSOCK32.DLL with the name WSOCK32.MTX, infects that copy and then writes "replace original file with infected" instructions to the WININIT.INI file:
where "C:\WINDOWS\SYSTEM" is the name of the Windows system directory and may differ depending on the name of the directory where Windows is installed.
The infected WSOCK32 replaces the original one during the next reboot, and the worm gets access to data that is sent from the infected machine. The worm pays attention to the Internet sites (Web, ftp) that are visited, as well as to email messages that are sent from the computer.
The most visible behaviour of the virus is that it stops visiting several Internet sites and disables sending messages to the same domains (they are anti-virus domain names). The virus detects them by four-letter combinations:
Furthermore, the worm does not allow user to send email messages to the following domains:
- mabex.com *
The worm also intercepts email messages that are sent and attempts to send a duplicate message with the infected attachment to the same address (the same as "Happy99/Ska" worm does). As a result, victim address should receive two messages: first is the original message written by the sender, second is a message with empty subject and text and attached file that has one of the names that are selected by worm depending on current date:
The worm sends out the WIN32.DLL file that was dropped by the virus component during MTX's first installation to the infected system.
Note: the worm does not drop WIN32.DLL file, but uses that file to attach it to messages that are sent. So the "pure worm" is not able to spread more than once: when run on victim machine it will infect WSOCK32.DLL, but will not able to send its copies further. To "fix that problem" the worm sends its infected copy (WIN32.DLL is the worm component infected by the virus component, see above).
Fortunately, the known worm modification has a bug in its spreading routine and the email server fails to receive affected messages from the infected machine. So, the known worm version cannot be widely spread.
Being run, the backdoor component creates a new key in system registry that indicates that the machine is already infected:
If this key exists, the Backdoor skips the installation procedure. Otherwise it registers itself in auto-run section:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemBackup=%WinDir%\MTX_.EXE
where %WinDir% is Windows directory.
The backdoor then stays active in Windows as a hidden application (service) and runs a routine that connects to some Internet server, gets files from there and spawns them to the system. So the Backdoor can infect the system with other viruses or install trojan programs or more functional backdoors.
The backdoor in the known virus version has a bug that causes a standard error message when the backdoor tries to access the Internet site.