Shatrix is a worm that spreads via the Internet being attached to infected emails. The worm also spreads over local network by copying to shared drives. The worm itself is a Windows PE EXE file about 380Kb of length, written in Delphi.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
The infected messages have:
Subject: FW:Shake a little Body: Hi ! This will shake your world :-) Regards, %username% Attach: SHAKE.EXE
where %username% is the name of user of an infected machine.
The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.
While installing the worm copies itself to Windows system directory with the random name and registers that file in system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemInfo = %worm file name%
To send infected messages the worm uses MS Outlook MAPI. To get victim addresses the worm looks for and scans following files:
*.asp *.html *.htm
Depending on system date the worm creates random directories, drops HTML files with texts which are randomly constructed from strings:
MatriX is out there MatriX has You... MatriX is All around You 010011010110000101110100011100100110100101011000
Technical Details:Kaspersky Labs; January 2002