Win32/MTX is one of the most complex recent computer infiltrations. It combines
a virus, worm, backdoor ftp server, a script for MIRC and PIRCH IRC clients.
MATRix, an international virus group was identified as the author of this malicious
The worm installs itself into the system replacing wsock.dll - an important
system file. To do this, the worm first creates an infected copy of the file
with a different name: wsock32.mtx. Using the system registry, the activation
of the new file triggered upon the new system start up. The worm than takes
over the control over the sent mail. Any message sent is accompanied by another
infected one. The infected message has the same Subject field, an empty body,
and an infected attachment. The name of the attachment is selected out of the
following 31 candidates:
An interesting, but willful is the fact, that the infiltration increases its
survival chances by prohibiting access to certain web-pages containing strings
of characters that are, in fact, part of the names of some antivirus developers!
Another, somewhat "along the same line" active-defence feature of
this infiltration is blocking of the possibilities to send e-mail to some antivirus
developers/sites from an infected machine.
The body of the worm contains the following text:
Software provided by [MATRiX] VX team:
Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix
The virus code itself is encrypted. After it is executed, it installs itself
into the system and attacks the Portable Executable (PE) files with extensions
EXE, DLL, SCR a OCX in the current directory, the temporary directory and the
one where the Windows installation is located.
The plug-in for IRC clients (MIRC and PIRCH) provides spreading environment
when certain keywords (e.g. worm, virus, file, exe) are used.
Four variants of this infiltration were identified so far and the spreading
of the epidemics continues.
CLEANING COMPUTER AFTER WIN32/MTX INFECTION
MTX virus/worm is one of the most sophisticated and complex computer infection.
For detailed description, please, check the Virus News section of our web page.
Cleaning of the damages requires several step process. Both Windows and MS
DOS versions of NOD32 Antivirus System need to be used and cleaning is performed
in both Windows and MS-DOS modes. Rebooting of your computer in MS-DOS mode
is required. Detailed description of the steps is listed below.
- in the first step, the mtxclean.exe file need to be downloaded and executed.
To do that:
- Click at the following link: (mtxclean.exe) to download this file
- Double click at the downloaded file to execute it. (If the file was
successfully executed, the following message will be displayed: Registry
has been successfully repaired.
- download the Windows version of the NOD32 Antivirus System,
- install NOD32 windows version (enter Esets website and
follow the instructions; it is recommended to select the suggested settings)
- have your computer scanned with this version. To do this:
- click at Start button (lower left-side
of the screen)
- select Programs
- select Eset
- click at NOD32 (blue cross icon)
Most of the infected files will be cleaned, however, some will be
shown (in the Log file) as "write protected" or "Locked".
- Close the NOD32 windows scanner.
- download the NOD32DOS (version of NOD32 for MS-DOS) - from our website (www.nod32.com).
To do this:
- log on to internet
- start your browser (e.g. Microsoft Explorer)
- in the dialog line enter Esets address: www.nod32.com
- click at the Download button (upper left-hand side of the screen
- click at the Download button next to the NOD32DOS version of NOD32
- enter your username and password and click at the download button; a
new window will open with two options: a/ run this program from its current
location and, b/ save this program to disk. The second option is set as
- Click at OK button. A new window will open;
- using the pull down selection menu of the "Save in:" line,
select the Desktop; the default name of the file in the File name: field
- click at Save button; this will initiate transfer of the MS-DOS version
of NOD32 to your machine. After the transfer is completed, close the window
by clicking at Close button.
- Installation of NOD32DOS on your computer
On your computer main screen (the Desktop), click double click at the NODDSEN
icon. This will A new window with Eset logo will open. To continue file extraction,
press any key. The first line in the window will read: Verifying authenticity
information ... OK and the word DONE will indicate the successful
completion of the installation of the MS-DOS version of NOD32 system.
- Your computer must be restarted in the DOS mode
- close the installation window (click at the x in the upper right-hand
corner of the window)
- click at the Start button in the lower
left hand corner of your computer screen
- select Shut Down command from the menu
- select Restart in MS-DOS mode; this will
cause your screen to go black and a cursor will appear
- Running NOD32DOS in the DOS mode and cleaning the damaged files
- in the cursor line, enter the following command:
(the users of the evaluation version, please, see
the note at the bottom)
- the new window the graphical interface of NOD32DOS will open;
press the Tab key on your keyboard once to highlight the Clean
button in the bottom section of the window
- press Enter key on your, to start scanning
your fixed media drives
- after the cleaning is over (may take several minutes) close the window
- restart your computer (e.g. press Ctrl-Alt-Del keys concurrently).
In the windows mode, run the NOD32 scanner again. If the cleaning was done
correctly, no viruses will be detected. In case of problems, please contact
us at: firstname.lastname@example.org.
- If you dont want to save the noddsen file (the DOS version of NOD32)
on your desktop, you may choose to select a different directory. In such case,
however, you need to remember the path of the nod32dos.exe file. This file
is extracted into the dos32e directory, located in the directory where the
self-extracting archive (noddsen.exe) was downloaded.
- described procedure works with evaluation/trial versions of NOD32, however,
the command in section 6.1.1 is different and it reads: c:\windows\desktop\dos32\nod32dos.exe