=========================== F R I E N D S H I P =========================== Original Sender : "M Fahmi Aulia" <[EMAIL PROTECTED]> ---------------------------------------------------------------- I-Worm.MTX New worm I-Worm.MTX was found spreading through the Internet. This worm, designed for Windows 95/98, comes as an e-mail with attached file with name from following list: README.TXT.pif I_wanna_see_YOU.TXT.pif MATRiX_Screen_Saver.SCR LOVE_LETTER_FOR_YOU.TXT.pif NEW_playboy_Screen_saver.SCR BILL_GATES_PIECE.JPG.pif TIAZINHA.JPG.pif FEITICEIRA_NUA.JPG.pif Geocities_Free_sites.TXT.pif NEW_NAPSTER_site.TXT.pif METALLICA_SONG.MP3.pif ANTI_CIH.EXE INTERNET_SECURITY_FORUM.DOC.pif ALANIS_Screen_Saver.SCR READER_DIGEST_LETTER.TXT.pif WIN_$100_NOW.DOC.pif IS_LINUX_GOOD_ENOUGH!.TXT.pif QI_TEST.EXE AVP_Updates.EXE SEICHO-NO-IE.EXE YOU_are_FAT!.TXT.pif FREE_xxx_sites.TXT.pif I_am_sorry.DOC.pif aMe_nude.AVI.pif Sorry_about_yesterday.DOC.pif Protect_your_credit.HTML.pif JIMI_HMNDRIX.MP3.pif HANSON.SCR FUCKING_WITH_DOGS.SCR MATRiX_2_is_OUT.SCR zipped_files.EXE BLINK_182.MP3.pif Worm tries to confuse users by a trick with doubled file extension and uses non-typical extensions for executables (as .PIF). All these files are perfectly executable. When attached file is executed, worm drops files mtx_.exe, ie_pack.exe and win32.dll into the \WINDOWS directory and prepare modified copy of WSOCK32.DLL library with name WSOCK32.MTX in \WINDOWS\SYSTEM directory. Then the worm creates file \WINDOWS\WININIT.INI which contains following commands: [Rename] NUL=C:\WINDOWS\SYSTEM\WSOCK32.DLL C:\WINDOWS\SYSTEM\WSOCK32.DLL=C:\WINDOWS\SYSTEM\WSOCK32.MTX and writes into registry these two items HKLM\Software\[MATRiX] HKLM\Software\Microsoft\Windows\Current\Version\Run\SystemBackup=C:\WINDOWS\ MTX_.EXE After next restart file WSOCK32.MTX is renamed to WSOCK32.DLL (as instructed in WININIT.INI file) and virus is activated. When virus is running it is able to infect other executable files by appending its body at the end of infected file (increasing last section). Call to virus body is not at program's entry point. Removing instructions: Restart the computer into DOS-mode and delete dropped files (mtx_.exe, ie_pack.exe and win32.dll in \WINDOWS directory). Replace infected files from backup. ---------------------------------------------------------------- Friendship MailingList is provided by PT Centrin Utama Maintained by : [EMAIL PROTECTED] To Post a msg : Mail to [EMAIL PROTECTED] To Unsubscribe : Mail to [EMAIL PROTECTED] . BODY : unsubscribe <Mailing List Name> For more information, send mail to [EMAIL PROTECTED] with "HELP" in the BODY of your mail (without quote). ----------------------------------------------------------------