Re: (No Subject)

Mon, 18 Dec 2000 06:25:24 -0800 


Hello Stuart & other fellow TB! Users following this wormy thread,

Monday, December 18, 2000,  you stated regarding :


ST> For more information on this specific virus,

IS_LINUX_GOOD_ENOUGH!.TXT.PIF (a Win95.Matrix.9216 worm/virus)

ST> please see

http://www.cai.com/virusinfo/encyclopedia/descriptions/mtx.htm and

That allowed me to search for the files the worm creates,

Mtx_.exe, Ie_pack.exe & Win32.dll

Happily, none were discovered.; the conclusion being that I DIDN'T
activate it (I was tired at the time & wasn't sure - or feel I was
as careful as usual).

I will also check the registry for the change mentioned.

  the following registry key (which runs the trojan each time
  Windows reboots) is created:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemBackup
  = \MTX_.EXE

  The trojan attempts to download and run files from a website which
  may contain other malicious programs. Next, the worm part is
  launched and creates a modified version of Wsock32.dll. It then
  overwrites the wininit.ini file with its own copy. (The
  wininit.ini file is only present on the system when required. When
  the system starts, commands in this file will be carried out and
  the file will be deleted). The virus' wininit.ini file contains
  commands to replace the original version of Wsock32.dll file with
  its own when Windows reboots. Once the original version is
  replaced, the new Wsock32.dll intercepts information being sent
  (by the send() function) from the computer to the network. If it
  detects that an e-mail is being sent, it will immediately send a
  second e-mail to the same recipient. The second e-mail has no
  subject and no body; merely an attachment which is randomly picked
  from a list of names within the code (shown here in the same order
  as in the infected file):

Talk about malicious.
  
Good virus info source from Computer Associates

The Trend Micro site didn't find: IS_LINUX_GOOD_ENOUGH!.TXT.PIF (and
tried to set cookies) but may be good for other viruses.

DH



DH

-- 
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   <mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
   <mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------

You are subscribed as : archive@jab.org

Reply via email to