computer virus

[Guest guest]

One of the lists that I am on is having trouble with a virus. MCAFEE did not

detect it or eliminate it. In fact those of us who caught it could not even get

to MCAFEE. I have no ideal how long I have had it and just in case I sent it to

any one or anyone else sends it to any one, here is some information on it.

Believe me this is not a phony alert. I had to get the InoculateIT PE edition

to get rid of it. Thankfully there was someone on the list who knew what to do.

Betty in California

This virus is known by several names, including W32/Apology, W95.Oisdbo,

> W32/MTX, I-Worm.MTX, and W32/MTX@mm and is distributed via email. It is

> difficult to detect and extremely difficult to remove.

>

> The W95.MTX virus does not have a recognisable message in the Subject

> line of the email, making it more difficult to watch for. The only

> reliable method of determining if you have received this email is by the

> watching for the presence of any of the following file attachments:

>

> I_wanna_see_you

> Matrix_screen_saver

> Love_letter_for_you

> New_playboy_screen_saver

> Bill_gates_piece

> Tiazinha

> Feiticeira_nua

> Geocities_free_sites

> New_napster_site

> Metallica_song

> Anti_cih

> Internet_security_forum

> Alanis_screen_saver

> Reader_digest_letter

> Win_$100_now

> Is_linux_good_enough!

> Qi_test

> Avp_updates

> Seicho_no_ie

> You_are_fat!

> Free_xxx_sites

> I_am_sorry

> Me_nude

> Sorry_about_yesterday

> Protect_your_credit

> Jimi_hendrix

> Hanson

> F___ing_with_dogs

> Matrix_2_is_out

> Zipped_files

> Blink_182

>

> If you should receive an email containing any of these file attachments,

>

> DO NOT OPEN the email, DELETE it immediately.

>

> Details:

>

> Virus Characteristics

> W95.MTX has a Worm component and a Virus component. It infects some

> Win32 executables in specific directories.

>

> Worm component:

> The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx

> which monitors network traffic. When the virus detects the user sending

> an email, it will send another to the same recipient.

>

> Wininit.ini is created by this component, which causes Wsock32.dll to be

> deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini

> executes after the computer is restarted. After Wininit.ini is created,

> this component runs the virus component.

>

> Virus component:

> The virus component searches for specific antivirus programs running. If

> the virus finds one, the virus does not run. If the virus continues to

> run, it decompresses the worm component, drops a copy of it into the

> user's Windows directory (typically C:\Windows), and runs it. The name

> of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it

> is renamed to Win32.dll.

>

> The virus also drops Mtx_.Exe and runs it. This is a downloader program

> that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the

> virus are downloaded and executed. It searches for Win32 executables in

> the current directory, Windows directory, and the Temp directory. The

> file to be infected needs to have a size that is not divisible by 101,

> is greater than 8K in size, and has at least 20 import call

> instructions. If not, the file is not infected by the virus.

>

> Embedded in the virus code is the following text string:

>

> Software provide by [MATRiX] VX team

> Ultras, Mort, Nbk, Lord Dark, Del_Armg0,Anaktos

> All VX guy in #virus channel and Vecna

>

> The virus also adds a registry entry that lets the downloader run

> automatically every time the system is started. The downloader is

> invisible in the Task List.

>

-- Re: Virus Warning

Here is a link to a free virus protection program. http://antivirus.cai.com/

It is the InoculateIT PE edition. I suggest downloading it and doing a full

virus scan on your system. Hopefully, it will be able to get rid of the virus.

This is the program I use and it is the one that picked up the virus I mentioned

(I_AM_SORRY.DOC.PIF). It runs in the background and if you go to open an

attachment that you don't realize has a virus it alerts you and doesn't allow

the attachment to open up. Thank goodness this FREE program really works or I

would be in trouble too!