Alias:W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll), W32/Apology-B [Sophos], I-Worm.MTX [Kaspersky], W95/MTX@M [McAfee], PE_Mtx.A [Trend], Win95.Mtx [Computer Associates], W95.MTX.dr
Type:Worm 
Size:~9250 Bytes (variabel) 
Origin: 
Date:00-00-0000 
Damage:W95/MTX.dr searches for antivirus programs and terminates various files. 
VDF Version:  
Danger:Medium 
Distribution:High 

Technical DetailsW95/MTX.dr has a worm and a virus component.

The worm component copies the file Wsock32.dll and renames it Wsock32.mtx.
The worm uses the following file names for the infected emails, the extension .pif being eventually hidden:

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

The worm uses WININIT.INI to avoid deleting Wsock32.dll and renaming Wsock32.mtx in Wsock32.dll. When this is done, the virus component comes in.

The Virus Component searches for antivirus programs. If it can find one, the virus decompresses the worm component, makes a copy in user's folder and executes it. The name of this file is Ie_pack.exe. After execution, Ie_pack.exe is renamed as Win32.dll. It searches for WinDir files in the current, Windows and Temp directories.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .