Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Iworm_MTX, I-Worm.MTX, Matrix
Sent by email, Backdoor component.
The worm detects when an email is composed an tries to attach a second email. This one contains no subject and body.
MTX has three components: virus, email worm and backdoor.
The Virus Component:
The virus is first decoded and then executed. It searches for active components of the following antivirus programs:
AntiViral Toolkit Pro
Central do McAffee VirusScan
If it can find one of the above components, the virus is not activated!
Then, the virus decompresses its components and installs them in Windows directory. The following files are created:
IE_PACK.EXE - "clean" worm-code
WIN32.DLL - infected worm-code
MTX_.EXE - Backdoor code
The Worm Component:
The worm uses the file WSOCK32.DLL in Windows directory, adding parts of its code at the end of the file and a send command. Thus, the worm controls all emails sent from the infected system.
If WSOCK32.DLL is already in use and the worm can not add its code to it, then the worm creates a copy of this file, named WSOCK32.MTX, infects it and using an entry in WININIT.INI, replaces the original WSOCK32.DLL file with the infected WSOCK32.MTX:
The Backdoor Component:
It enters a new registry key:
If the key is already made, the installation is skipped. If not, the backdoor is registered for the Auto Run Section: HKLM\Software\Microsoft\Windows\CurrentVersion\RunSystemBackup=%WinDir%\MTX_.EXE
Description inserted by Crony Walker on Tuesday, June 15, 2004