로그인
님 환영합니다
Language:
한국어
English
Deutsch
Français
Español
Italiano
Nederlands
Português
Türkçe
Русский
日本語
简体中文
繁體中文
한국어
저희 회사 및 제품에 대한 자세한 정보는 저희
글로벌 웹사이트
에서 보실 수 있습니다.
개인용
기업용
고객지원
연락처
Search
요약
전체 설명
통계
Alias:
Iworm_MTX, I-Worm.MTX, Matrix
Type:
Worm
Size:
18.483 Bytes
Origin:
Date:
11-09-2000
Damage:
Sent by email, Backdoor component.
VDF Version:
6.23.00.00
Danger:
Medium
Distribution:
Medium
Distribution
The worm detects when an email is composed an tries to attach a second email. This one contains no subject and body.
Attachment:
ALANIS_Screen_Saver.SCR
ANTI_CIH.EXE
AVP_updates.EXE
BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif
FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif
FUCKING_WITH_DOGS.SCR
Geocities_Free_Sites.TXT.pif
HANSON.SCR
INTERNET_SECURITY_FORUM.DOC.pif
IS_LINUS_GOOD_ENOUGH!.TXT.pif
I_am_sorry.DOC.pif
I_wanna_see_You.TXT.pif
Technical Details
MTX has three components: virus, email worm and backdoor.
The Virus Component:
The virus is first decoded and then executed. It searches for active components of the following antivirus programs:
AntiViral Toolkit Pro
AVP Monitor
Vsstat
Webscanx
Avconsol
McAfee VirusScan
Vshwin32
Central do McAffee VirusScan
If it can find one of the above components, the virus is not activated!
Then, the virus decompresses its components and installs them in Windows directory. The following files are created:
IE_PACK.EXE - "clean" worm-code
WIN32.DLL - infected worm-code
MTX_.EXE - Backdoor code
The Worm Component:
The worm uses the file WSOCK32.DLL in Windows directory, adding parts of its code at the end of the file and a send command. Thus, the worm controls all emails sent from the infected system.
If WSOCK32.DLL is already in use and the worm can not add its code to it, then the worm creates a copy of this file, named WSOCK32.MTX, infects it and using an entry in WININIT.INI, replaces the original WSOCK32.DLL file with the infected WSOCK32.MTX:
NUL=C:\WINDOWS\SYSTEM\WSOCK32.DLLC:\%WinDIR%\%SystemDIR%\WSOCK32.DLL=
C:\WINDOWS\SYSTEM\WSOCK32.MTX
The Backdoor Component:
It enters a new registry key:
HKLM\Software\[MATRIX]
If the key is already made, the installation is skipped. If not, the backdoor is registered for the Auto Run Section: HKLM\Software\Microsoft\Windows\CurrentVersion\RunSystemBackup=%WinDir%\MTX_.EXE
설명 삽입자 Crony Walker 2004년 6월 15일 화요일
뒤로
.
.
.
.
내 계정
https
://
이 창은 보안을 위해 암호화되었습니다.
로그인
비밀번호 분실
비밀번호 재설정
내 프로필
제품
결제 기록
알림
비밀번호 재설정
문의처
로그아웃
