W95.MTX

W95.MTX has a virus component and a worm component. It propagates by email. It also infects some Win32 executables in specific folders. The virus has the capability to block access to certain Web sites. This may prevent you from downloading new virus definitions.

Click here to download a tool to repair W95.MTX damage.

Also Known As: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll)

Category: Virus, Worm

Infection Length: 9250 (variable)

Virus Definitions: August 28, 2000

Threat Assessment:

Wild:

• Number of infections: 50 - 999
• Number of sites: More than 10
• Geographical distribution: High
• Threat containment: Moderate
• Removal: Difficult

Damage:

• Payload: Some infected files are corrupted beyond repair.
  • Modifies files: Windows executables

Distribution:

• Subject of email: None
• Name of attachment: Variable (see below)
• Size of attachment: Variable
• Time stamp of attachment: Immediately after a new email message is sent, a second message is sent with no subject and the worm attached.

Technical description:

Worm component

The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then modified to point to its own code. This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email message (using the same program).

Here is a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

Virus component
The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll.

The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8 KB in size, and has at least 20 import call instructions. If not, the file is not infected by the virus.

The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is invisible in the Task List.

Removal instructions:

There are two ways to remove this virus:

• Use the SARC W95.MTX Fix Tool.
• Manually remove the virus.

• Windows 98 enables you to create a startup disk, which contains both system files and drivers that will work with most CD-ROM drives. Windows 95 does not. Before you start this procedure, it is strongly recommended that you create or obtain a Windows 98 Startup disk. This can be used to start a Windows 95 or a Windows 98 computer. If you do not create this disk first, and the first part of the removal procedure does not work on your computer, then you may not be able to restore some Windows files if this is needed.
• This virus should be detected and removed by following the instructions that follow. The mere presence of files that begin with the letters "mtx" or have the .mtx extension is not an indication of infection. For example, the files mtxdm.dll, mtxoci.dll, twain*.mtx, and twunk*.mtx are all legitimate Windows program files.

• Due to the nature of this virus, some files will not be repairable. The unrepairable files will need to be restored from clean backup copies, or from the original distribution disks.
• To remove this threat you must carefully watch Norton AntiVirus (NAV) during the detection process. The files infected by the virus portion of W95.MTX should be detected as W95.MTX and W95.MTX (.dll). Any files that are detected as being infected with either W95.MTX or W95.MTX (.dll) should be repairable.
• Files that are part of the Trojan and worm part of the infection should be detected as W95.MTX.dr. Any files detected as being infected with W95.MTX.dr must be removed.
• It is important to make the distinction between the virus and the worm components, because the virus part of W95.MTX can infect Windows system files, and if you delete system files, then you might damage Windows.

• Create or obtain a Startup disk
• Ensure that you have the most recent virus definitions
• Restart the computer to a command prompt
• Delete the infected files
• Extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files
• Edit the registry

1. Click Start, point to Settings, and click Control Panel.
2. Double-click Add/Remove Programs.
3. Click the Startup disk tab.
4. Place a new, formatted floppy disk in the floppy disk drive.
5. Click Create Disk, and then follow the prompts.

• If you have access to an uninfected computer, then download the most recent definitions from the SARC Web site, and then install the definition files on the infected computer. For instructions on how to do this, see the following documents:
  • How to update virus definition files using the Virus Definition Update Installer.
  • How to update virus definitions on computers without Internet or network connections
• If you do not have access to a uninfected computer, then there are two ways to work around this:
  • Use the numeric Web address to get to the Symantec Web site. The numeric address is
    
    208.226.167.17
    
    For instructions on how to do this, see the document How to retrieve virus definition updates when the computer is infected with a virus that prevents you from connecting to Symantec Web sites.
  • Download the Virus Update Definition Installer from the Tucows Web site.
    1. Point your browser to http://www.tucows.com/.
    2. In the Search Software Library box, type norton dat and then click GO!
    
    NOTE: That is type norton and then a space, and then type dat
    
    3. Locate the entry--it should be the first in the list--for the Platform: Windows 95/98, and then click Download Now.
    4. Choose your region and your state or locality, and then click GO!
    5. Click the download site nearest your location.
    6. Download the file to a location on the hard drive, such as the Windows desktop.
    7. When the download is finished, double-click the file that you downloaded to install it.

• Windows 95
  1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
  2. Click Restart, and then click Yes. Windows shuts down, and the computer restarts.
  3. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
  4. Press the number corresponding to "Command Prompt only," and then press Enter.
• Windows 98
  1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
  2. Click Restart, and then click OK. Windows shuts down, and the computer restarts.
  3. As the computer restarts, press and hold down the Ctrl key until the Windows 98 Startup Menu appears.
  
  NOTE: On some computers, a keyboard or other error may appear during restart as you hold down the Ctrl key. If so, then follow the prompts to press a key to continue (for example, the message may prompt you to press the Esc key), then immediately press the Ctrl key again.
  
  4. Press the number corresponding to "Command Prompt only," and then press Enter.

1. Type each of the following commands, pressing Enter after each one:

cd \windows
set path=c:\windows\command
attrib -r -s -h *.*
del ie_pack.exe
del win32.dll
del mtx_.exe

NOTE: If you see "File not found" after entering any of the commands, then verify that the command was typed exactly as shown.

2. Type dir /s /b \navdx.exe and then press Enter. This displays the path to the Norton AntiVirus DOS scanner. If NAV is installed to a different drive, then change to the root of that drive first.
3. Change to the folder where Navdx.exe is installed.
4. Type one of the following commands, and then press Enter:

CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started.

NOTE: The DOS-based scanner can perform one of the following actions when it detects a virus:

• To be prompted for any file that is detected as infected, type the following, and then press Enter:
  
  navdx /a /doallfiles /prompt
  
  You must press R)epair, D)elete, or C)ontinue for each infected file. If you choose this option, and NAV cannot repair an infected file, then you will see the message "Unable to repair the file" followed by the same three choices. In most cases you should then choose D)elete, unless you are sure that the file is not actually infected.
  
• To delete any file that is detected as infected, type the following, and then press Enter:
  
  navdx /a /doallfiles /delete
  
  The disadvantage to this is that files that could be repaired will be deleted.
  
• To repair any file that is detected as infected, type the following, and then press Enter:
  
  navdx /a /doallfiles /repair
  
  CAUTION: If NAV cannot repair a file and you choose this option, then the file will be skipped. This means that infected files will still be on your system. If you choose this option, then you must run Navdx again, this time using the /delete switch, as shown in the previous example.
  
5. When the scan is finished, proceed to the next section.

• The Windows installation files on your hard drive. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard drive. If you are sure that this is the case, then see the section How to extract files that are located on the hard drive.
• The Microsoft Windows 95/98 Installation CD. If you do not have the .cab files on the hard drive, then see the section How to extract files that are located on the installation CD.
  

• If you are running Windows 95, and you have installed Internet Explorer 4.0 or later at any time, then it is not likely that extracting the Explorer.exe file will work on your system. This is because the Internet Explore installation replaces Explorer.exe as well as other files, with later versions. Replacing only the Explorer.exe file from the .cab files will not work in most cases, as the older file will not work with the many other files that were also updated by the installation. If this is your situation, then you may have to reinstall Windows 95 completely, or update to Windows 98 or later.
• If you have upgraded to Windows 98 from Windows 95, unless you are sure that the cabinet files on the hard drive are from Windows 98, you should extract the files from the installation CD and not from the files on the hard drive.
  

• These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products. However, for your convenience, Symantec now provides fee-based technical support and assistance for a number of non-Symantec products, including products from Microsoft. Symantec Multivendor Support is available by calling (800) 745-6032. Otherwise, we suggest that you contact Microsoft for assistance with this problem.
• There are numerous versions of the Windows installation CD available. Each of these may have the needed files in a different location within the .cab files. In the instructions that follow, while the command provided tells the extraction program to start in a specific location, the command also includes the "/a" switch. This command switch will cause the extract program to search recursively through all of the cabinet files that follow, in sequence, until it finds the indicated file. It will not search, however, for file that are in the previous .cabs. For example, the command for Windows 98, extract /a win98_40.cab explorer.exe /L c:\windows, will start with .cab 40, then search .cab 41, and so on. It will not search .cab 39 or previous .cab files.
  
  The Windows 98 .cab files usually begin at 21 and typically end in the upper 70's (usually 74). We have the search begin with .cab 40 because, in most cases, these files are in .cab 44 or 45. This is done to speed up the search for these files. If you have a version of the Windows installation files that are different then the standard format, then you will have to adjust the command accordingly. For example, if you have Windows 98 and the command extract /a win98_40.cab explorer.exe /L c:\windows does not locate the explorer.exe file, and you are sure that you have entered it exactly as shown, try changing the number of the .cab file in which the search starts, for example, to extract /a win98_20.cab explorer.exe /L c:\windows

1. Type dir /s /b \precopy1.cab and then press Enter: This displays the path to the Precopy1.cab file. If the file is not found, then it is likely that the .cab files are not on the hard drive. In which case you should skip to the section How to extract files that are located on the installation CD.
2. Change to the folder where the Precopy1.cab file is located.
3. What you do next depends on which operating system you are using:

NOTES:
• If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
• If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
• If Windows is installed to a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

• If you are using Windows 98, then type the following commands, and press Enter after each one:
  
  extract /a precopy1.cab wsock32.dll /L c:\windows\system
  extract /a win98_40.cab explorer.exe /L c:\windows
  extract /a win98_40.cab rundll32.exe /L c:\windows
• If you are using Windows 95, then type the following commands, and press Enter after each one:
  
  extract /a win95_10.cab wsock32.dll /L c:\windows\system
  extract /a win95_10.cab explorer.exe /L c:\windows
  extract /a win95_10.cab rundll32.exe /L c:\windows

If you do not see any error messages, then you are finished with the extraction process. Proceed to the section Edit the registry.

• The instructions that follow are for the most widely-distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the files that you need to extract in a different .cab file. It is beyond the scope of this document to include instructions for every version.
• If you do not have the Windows installation CD for which the following commands were written, then you may have to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information on this, see the document Which cabinet files contain the original Windows files?
• A partial list of these locations for some versions of Windows is also available in the section Cab locations list at the end of this document.

1. Insert the Windows 98 Startup disk in the floppy disk drive.
2. Insert the Windows 98 Installation CD in the CD-ROM drive.
3. Turn off the computer, and then wait thirty seconds.
4. Turn on the computer. The computer starts to a startup menu.
5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
6. Allow the computer to finish booting to a A:\> prompt. This could take a few minutes.
7. The next step is to change to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is the D drive in Windows, it will be the E drive.

Type the following, changing the drive letter as necessary, and then press Enter:

e:\win98 (If the installation disk is for Windows 98)

or

e:\win95 (If the installation disk is for Windows 95)

If you see an error message, then try retyping the command with a different drive letter, for example, f:\win98

8. What you do next depends on which version of Windows you are running:

NOTES:
• If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
• If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
• If Windows is installed to a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

• If you are running Windows 98, then type the following commands, and press Enter after each one:
  
  extract /a precopy1.cab wsock32.dll /L c:\windows\system
  extract /a win98_40.cab explorer.exe /L c:\windows
  extract /a win98_40.cab rundll32.exe /L c:\windows
• If you are running Windows 95, then type the following commands, and press Enter after each one:
  
  extract /a win95_10.cab wsock32.dll /L c:\windows\system
  extract /a win95_10.cab explorer.exe /L c:\windows
  extract /a win95_10.cab rundll32.exe /L c:\windows

1. Remove the floppy disk from the floppy disk drive.
2. If you extracted the files from the Installation CD, then remove the CD from the CD-ROM drive.
3. Turn off the computer, and then wait thirty seconds.
4. Turn on the computer, and allow Windows to start.

NOTE: It is normal at this point for error messages to appear. They will refer to the virus files with messages, such as "Windows cannot find...." Ignore these messages. They are the result of the remaining entries in the Windows registry that you will remove next. They do not indicate that the computer is still infected.

5. Click Start, and then click Run. The Run dialog box appears.
6. Type regedit and then click OK. The Registry Editor opens.
7. Navigate to and select the following subkey:

HKey_Local_Machine\Software\[Matrix]

8. Press Delete, and then click Yes to confirm.
9. Navigate to and select the following subkey:

HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run

10. Delete the following value in the right pane:

SystemBackup C:\WINDOWS\MTX_.EXE

11. Click Yes to confirm.
12. In the left pane, click the My Computer key.
13. Click the Edit menu, and then click Find.
14. In the Find what box, type mtx and then click Find Next.
15. What you do next depends on whether any entries are found.
• If no entries are found that contain the string mtx, then proceed to the next step.
• If any entries are found that refer to Mtx_.exe, then you should delete them. Because this is a string search, it could find entries for legitimate programs that happen to contain this string. Make sure that the references is to Mtx_.exe before you delete it. To continue the search if an entry is found, press F3. Keep doing this until no more entries are found.
16. Perform another find operation, but this time search for [MATRIX]. Delete any entries that are found.
17. Click the Registry menu, and then click Exit to save the changes and close the Registry Editor.
18. Restart the computer.

Write-up by: Cary Ng and Peter Ferrie (Symantec)