~~~~~~~Forum Diskusi Software dan Internet untuk Kristen-Katolik~~~~~~~ Pak Ronny dan pak Pttwr, Sebetulnya virus yang mengirim attachment berjenis PIF ialah virus I-Worm MTX, tetapi virus itu tidak hanya bisa mengirim file tipuan jenis PIF (padahal isinya bukan file PIF tetapi exe PE), bisa disimak data virus itu sesuai dengan pemberitahuan site AVP seperti yang saya copykan dibawah ini. Salam, Budisastra S. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Data virus MTX: I-Worm.MTX AVP Virus Encyclopedia ~~~~~~~~~~~~~~~~~~ This is a worm virus spreading under Win32 systems. The virus infects Win32 executable files, attempts to send email messages with infected attached files, as well as installs a backdoor component to download and spawn "plugins" on an affected system. The virus has an unusual structure. It consists of three different components that are run as stand-alone programs (Virus, email Worm and Backdoor). The virus is the main component. It stores the worm and backdoor programs in its code in compressed form. While infecting the system it extracts and spawns them: Virus structure =========== +----------------+ � The virus � --> installs Worm and Backdoor to the system, � installation � then finds and infects Win32 executable files � and infection � � routines � �----------------� � Worm code � --> is extracted to file and run as stand-alone program � (compressed) � �----------------� � Backdoor code � --> is extracted to file and run as stand-alone program � (compresses) � +----------------+ Infected EXE file ============ +----------------+ � File code � � and data � � � �----------------� � Virus code: � �+--------------+� �� Installation �� �� and infection�� �+--------------�� �� Worm �� �+--------------�� �� Backdoor �� �+--------------+� +----------------+ The worm code does not contain all necessary routines to infect the system when it is sent as attachment in infected email messages (see below). The worm needs a little "help" from the virus component, and is sent when infected by the virus (the worm file is infected by the virus as an ordinary file and then sent). The reason to use such a way is not clear. Probably the components were written by different people. The Virus component contains the text strings: ================================== SABI�.b ViRuS Software provide by [MATRiX] VX TeAm: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos Greetz: All VX guy in #virus and Vecna for help us Visit us at: http://www.coderz.net/matrix The worm component contains the text strings: Software provide by [MATRiX] VX team: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos Greetz: All VX guy on #virus channel and Vecna Visit us: www.coderz.net/matrix The Backdoor contains the text: Software provide by [MATRiX] team: Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos Greetz: Vecna 4 source codes and ideas The Virus Component ================ The virus uses "Entry Point Obscuring" technology while infecting a file. That means the virus does not affect the file at its entry code, but places a "Jump Virus" instruction somewhere in the middle of the file code section to make detection and disinfection procedures more complex. As a result the virus is activated only if the corresponding affected program's branch receives control. The virus is also encrypted, so first of all it has to decrypt itself when its code gets control. The virus then searches for the necessary Win32 API functions by scanning the Win32 kernel. To achieve this the virus tries Win9x, WinNT and Win2000 addresses. The virus then searches for anti-virus programs active in the system and exits in case any of them is detected. The list of anti-virus programs the virus pays attention is as follows: AntiViral Toolkit Pro AVP Monitor Vsstat Webscanx Avconsol McAfee VirusScan Vshwin32 Central do McAfee VirusScan Next the virus installs its components into the system. They are installed decompressed to the Windows directory and then spawned. There are three files created in there. They have the "hidden" attribute set and they have the names: IE_PACK.EXE - pure Worm code WIN32.DLL - Worm code infected by the virus (as "Infected File" above) MTX_.EXE - Backdoor code The virus then infects Win32 executable PE EXE files in the current, temporary, and Windows directories, and then exits. Worm ==== To send infected messages the worm uses technology that for the first time was found in the "Happy" Internet worm (aka Happy99, aka SKA). The worm affects the WSOCK32.DLL file in the Windows system directory by appending a component of its code to the end of the file and hooking the "send" WSOCK32.DLL routine. As a result the worm then monitors all data that is sent from an affected computer to Internet. Usually the WSOCK32.DLL file is in use at the moment the worm starts, and it is locked for writing. To avoid that, the worm uses a standard way: it creates a copy of original WSOCK32.DLL using the filename WSOCK32.MTX name, affects that copy and then writes "replace original file with infected" to the WININIT.INI file: NUL=C:\WINDOWS\SYSTEM\WSOCK32.DLL C:\WINDOWS\SYSTEM\WSOCK32.DLL=D:\WINDOWS\SYSTEM\WSOCK32.MTX where "C:\WINDOWS\SYSTEM" is the name of Windows system directory and may differ depending on the name of the directory Windows is installed. During the next restart, the infected WSOCK32 replaces the original one, and the worm gets access to data that is sent from an infected machine. The worm pays attenton to Internet sites (Web, ftp) that are visited as well as to email messages that are sent from computer. The very visible behavior of the virus is the fact that it stops visiting several Internet sites, as well as disables sending messages to the same domains (they are anti-virus domain names). The virus detects them by four-letter combinations that look like follows: nii. nai. avp. f-se mapl pand soph ndmi afee yenn lywa tbav yman The worm also does not allow to send email messages to domains: wildlist.o* il.esafe.c* perfectsup* complex.is* HiServ.com* hiserv.com* metro.ch* beyond.com* mcafee.com* pandasoftw* earthlink.* inexar.com* comkom.co.* meditrade.* mabex.com * cellco.com* symantec.c* successful* inforamp.n* newell.com* singnet.co* bmcd.com.a* bca.com.nz* trendmicro* sophos.com* maple.com.* netsales.n* f-secure.c* The worm also intercepts email messages that are sent and attempts to send duplicate message with infected attachment to the same address (the same as the "Happy" worm does). As a result, the victim address should receive two messages: the first is the original message written by a sender, the second a message with empty subject and text, and attached file that has one of names that are selected by the worm depending on current date: README.TXT.pif I_wanna_see_YOU.TXT.pif MATRiX_Screen_Saver.SCR LOVE_LETTER_FOR_YOU.TXT.pif NEW_playboy_Screen_saver.SCR BILL_GATES_PIECE.JPG.pif TIAZINHA.JPG.pif FEITICEIRA_NUA.JPG.pif Geocities_Free_sites.TXT.pif NEW_NAPSTER_site.TXT.pif METALLICA_SONG.MP3.pif ANTI_CIH.EXE INTERNET_SECURITY_FORUM.DOC.pif ALANIS_Screen_Saver.SCR READER_DIGEST_LETTER.TXT.pif WIN_$100_NOW.DOC.pif IS_LINUX_GOOD_ENOUGH!.TXT.pif QI_TEST.EXE AVP_Updates.EXE SEICHO-NO-IE.EXE YOU_are_FAT!.TXT.pif FREE_xxx_sites.TXT.pif I_am_sorry.DOC.pif Me_nude.AVI.pif Sorry_about_yesterday.DOC.pif Protect_your_credit.HTML.pif JIMI_HMNDRIX.MP3.pif HANSON.SCR FUCKING_WITH_DOGS.SCR MATRiX_2_is_OUT.SCR zipped_files.EXE BLINK_182.MP3.pif As the attached file the worm uses the WIN32.DLL file that was dropped by the virus component. Note: the worm does not drop the WIN32.DLL file, but uses that file to attach it to messages that are sent. So the "pure worm" is not able to spread more than one time: when run on a victim machine it will infect the WSOCK32.DLL, but will not be able to send its copies further. To "fix that problem" the worm sends its infected copy (WIN32.DLL is worm component infected by virus component, see above). Fortunately, the known worm modification has a bug in its spreading routine and email server fails to receive affected messages from infected machine. So, the known worm version cannot be widely spread. Backdoor When run the backdoor component creates a new key in the system registry that indicates the machine is already infected: HKLM\Software\[MATRIX] If this key exists the Backdoor skips the installation procedure. Otherwise it registers itself in the auto-run section: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemBackup=%WinDir%\MTX_.EXE where %WinDir% is Windows directory. The Backdoor then stays active in Windows as a hidden application (service) and runs a routine that connects to some Internet server, gets files from there and spawns them in the system. So the Backdoor can infect the system with other viruses or install trojan programs or more functional backdoors. This component in the known virus version also has a bug that causes a standard Windows message about an error in the application, when the backdoor tries to access Internet site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------- This message was sent using Instan Webmail. http://mail.telkom.net ----- Hemat Bandwith : Hapus pesan yang tidak perlu sebelum reply ----- SUBSCRIBE---> To: [EMAIL PROTECTED], Isi/Body: kosong UNSUBSCRIBE---> To: [EMAIL PROTECTED], Isi/Body: kosong This conference is now hosted by GRC. See our site at http://www.grcomputing.net
