Symantec United States
global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2014 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy

security updates

W95.MTX

Category 2


W95.MTX has a virus component and a worm component. It propagates by email. It also infects some Win32 executables in specific folders. The virus has the capability to block access to certain Web sites. This may prevent you from downloading new virus definitions.

Symantec has also created an interactive tutorial to help you get rid of this virus.

 

Also Known As: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll), W32/Apology-B [Sophos], I-Worm.MTX [Kaspersky], W95/MTX@M [McAfee], PE_Mtx.A [Trend], Win95.Mtx [Computer Associates]
Type: Virus, Worm
Infection Length: 9250 (variable)
Systems Affected: Windows 95, Windows 98, Windows Me
Systems Not Affected: Windows 3.x, Windows NT, Windows 2000, Windows XP, Macintosh, UNIX, Linux

protection
  • Virus Definitions (LiveUpdate™ Weekly)
  • August 28, 2000

  • Virus Definitions (Intelligent Updater)
  • August 28, 2000

    threat assessment

    Wild

    Threat Metrics

    Low Medium High

    Wild:
    Low

    Damage:
    Medium

    Distribution:
    High

    Damage

    Distribution

    technical details

    Worm component

    The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then modified to point to its own code. This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email message (using the same program).

    Here is a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program.

    I_wanna_see_you.txt.pif
    Matrix_screen_saver.scr
    Love_letter_for_you.txt.pif
    New_playboy_screen_saver.scr
    Bill_gates_piece.jpg.pif
    Tiazinha.jpg.pif
    Feiticeira_nua.jpg.pif
    Geocities_free_sites.txt.pif
    New_napster_site.txt.pif
    Metallica_song.mp3.pif
    Anti_cih.exe
    Internet_security_forum.doc.pif
    Alanis_screen_saver.scr
    Reader_digest_letter.txt.pif
    Win_$100_now.doc.pif
    Is_linux_good_enough!.txt.pif
    Qi_test.exe
    Avp_updates.exe
    Seicho_no_ie.exe
    You_are_fat!.txt.pif
    Free_xxx_sites.txt.pif
    I_am_sorry.doc.pif
    Me_nude.avi.pif
    Sorry_about_yesterday.doc.pif
    Protect_your_credit.html.pif
    Jimi_hendrix.mp3.pif
    Hanson.scr
    F___ing_with_dogs.scr
    Matrix_2_is_out.scr
    Zipped_files.exe
    Blink_182.mp3.pif

    Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

    NOTE: Norton AntiVirus will detect the Wininit.ini file that's created by W95.MTX as W95.MTX.INI.

    Virus component
    The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll.

    The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8 KB in size, and has at least 20 import call instructions. If not, the file is not infected by the virus.

    The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is invisible in the Task List.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    There are two ways to remove this virus:

    • Use the Symantec Security Response W95.MTX Fix Tool.
    • Manually remove the virus.

    In most cases, you should first try the W95.MTX Fix Tool.

    Use the W95.MTX Fix Tool

    Symantec Security Response has developed a tool to help repair the damage.

    If you cannot get to this site, then the tool is also available at the following site:

    http://www.digitalriver.com/symantec/virus

    Manual removal procedure

    This is a complex and difficult virus to remove. It alters system files, and on some computers these files cannot be repaired. In some cases, after attempting to repair the virus, you cannot start Windows until you restore the essential system files from the original Windows installation CD.

    NOTE: Because this virus can not only disable Windows and executable files, but can also block access to certain Web sites, including Symantec Web sites, in some cases you must perform any needed downloads on an uninfected computer.

    This document assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

    CAUTIONS:
    • Windows 98 enables you to create a startup disk, which contains both system files and drivers that will work with most CD-ROM drives. Windows 95 does not. Before you start this procedure, it is strongly recommended that you create or obtain a Windows 98 Startup disk. This can be used to start a Windows 95 or a Windows 98 computer. If you do not create this disk first, and the first part of the removal procedure does not work on your computer, then you may not be able to restore some Windows files if this is needed.
    • This virus should be detected and removed by following the instructions that follow. The mere presence of files that begin with the letters "mtx" or have the .mtx extension is not an indication of infection. For example, the files mtxdm.dll, mtxoci.dll, twain*.mtx, and twunk*.mtx are all legitimate Windows program files.

    NOTES:
    • Due to the nature of this virus, some files will not be repairable. The unrepairable files will need to be restored from clean backup copies, or from the original distribution disks.
    • To remove this threat you must carefully watch Norton AntiVirus (NAV) during the detection process. The files infected by the virus portion of W95.MTX should be detected as W95.MTX and W95.MTX (.dll). Any files that are detected as being infected with either W95.MTX or W95.MTX (.dll) should be repairable.
    • Files that are part of the Trojan and worm part of the infection should be detected as W95.MTX.dr. Any files detected as being infected with W95.MTX.dr must be removed.
    • It is important to make the distinction between the virus and the worm components, because the virus part of W95.MTX can infect Windows system files, and if you delete system files, then you might damage Windows.

    To repair the damage done by this virus, follow the instructions in each section.
    • Create or obtain a Startup disk
    • Ensure that you have the most recent virus definitions
    • Restart the computer to a command prompt
    • Delete the infected files
    • Extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files
    • Edit the registry

    To create or obtain a Startup disk:

    NOTE: You can skip this section if you are sure that the Windows installation files are located on the local hard drive, and that you can restart the computer in MS-DOS mode. Details on this are covered in the sections that follow.

    Before you begin the removal process, you should create or obtain a Windows 98 Startup disk. If you are running Windows 95, then you may be able to obtain one from a local computer store. To create one on a Windows 98 computer, follow these steps:

    CAUTION: This must be done on an uninfected computer. Do not do this on the computer that is infected with the virus.
    1. Click Start, point to Settings, and click Control Panel.
    2. Double-click Add/Remove Programs.
    3. Click the Startup disk tab.
    4. Place a new, formatted floppy disk in the floppy disk drive.
    5. Click Create Disk, and then follow the prompts.



    To ensure that you have the most recent virus definitions:

    Norton AntiVirus must be installed, and you must have virus definitions dated September 5, 2000, or later. If your virus definitions are up-to-date, then go on to the next section. If they are not up-to-date, then you cannot run LiveUpdate or download the definitions from the Symantec Security Response Web site. There are several ways to work around this: To restart the computer to a command prompt:

    You must restart the computer to a command prompt. Follow the steps for your operating system:
    • Windows 95
      1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
      2. Click Restart, and then click Yes. Windows shuts down, and the computer restarts.
      3. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
      4. Press the number corresponding to "Command Prompt only," and then press Enter.
    • Windows 98
      1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
      2. Click Restart, and then click OK. Windows shuts down, and the computer restarts.
      3. As the computer restarts, press and hold down the Ctrl key until the Windows 98 Startup Menu appears.

        NOTE: On some computers, a keyboard or other error may appear during restart as you hold down the Ctrl key. If so, then follow the prompts to press a key to continue (for example, the message may prompt you to press the Esc key), then immediately press the Ctrl key again.
      4. Press the number corresponding to "Command Prompt only," and then press Enter.

    To delete the infected files:

    Follow these steps to delete the infected files:

    NOTE: These instructions assume that Windows is installed to the default of C:\Windows. If Windows installed to a different location, then substitute the appropriate folder.
    1. Type each of the following commands, pressing Enter after each one:

      cd \windows
      set path=c:\windows\command
      attrib -r -s -h *.*
      del ie_pack.exe
      del win32.dll
      del mtx_.exe

      del wininit.ini

      NOTE: If you see "File not found" after entering any of the commands, then verify that the command was typed exactly as shown.
    2. Type dir /s /b \navdx.exe and then press Enter. This displays the path to the Norton AntiVirus DOS scanner. If NAV is installed to a different drive, then change to the root of that drive first.
    3. Change to the folder where Navdx.exe is installed.
    4. Type one of the following commands, and then press Enter:

      CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started.

      NOTE: The DOS-based scanner can perform one of the following actions when it detects a virus:
      • To be prompted for any file that is detected as infected, type the following, and then press Enter:

        navdx /a /doallfiles /prompt

        You must press R)epair, D)elete, or C)ontinue for each infected file. If you choose this option, and NAV cannot repair an infected file, then you will see the message "Unable to repair the file" followed by the same three choices. In most cases you should then choose D)elete, unless you are sure that the file is not actually infected.
      • To delete any file that is detected as infected, type the following, and then press Enter:

        navdx /a /doallfiles /delete

        The disadvantage to this is that files that could be repaired will be deleted.
      • To repair any file that is detected as infected, type the following, and then press Enter:

        navdx /a /doallfiles /repair

        CAUTION: If NAV cannot repair a file and you choose this option, then the file will be skipped. This means that infected files will still be on your system. If you choose this option, then you must run Navdx again, this time using the /delete switch, as shown in the previous example.
    5. When the scan is finished, proceed to the next section.

    To extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files:

    This is necessary because these files have very likely been infected by the virus and are critical for accessing the Internet and using the computer. You need to use the Extract command at a DOS prompt to restore good copies of these files from the Windows installation files.

    There are two locations from which these files can be extracted:
    • The Windows installation files on your hard drive. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard drive. If you are sure that this is the case, then see the section How to extract files that are located on the hard drive.
    • The Microsoft Windows 95/98 Installation CD. If you do not have the .cab files on the hard drive, then see the section How to extract files that are located on the installation CD.
    CAUTION: If you are running Windows 95 or have upgraded the computer to Windows 98 from Windows 95, then read the following:
    • If you are running Windows 95, and you have installed Internet Explorer 4.0 or later at any time, then it is not likely that extracting the Explorer.exe file will work on your system. This is because the Internet Explore installation replaces Explorer.exe as well as other files, with later versions. Replacing only the Explorer.exe file from the .cab files will not work in most cases, as the older file will not work with the many other files that were also updated by the installation. If this is your situation, then you may have to reinstall Windows 95 completely, or update to Windows 98 or later.
    • If you have upgraded to Windows 98 from Windows 95, unless you are sure that the cabinet files on the hard drive are from Windows 98, you should extract the files from the installation CD and not from the files on the hard drive.
    NOTES:
    • These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products.
    • There are numerous versions of the Windows installation CD available. Each of these may have the needed files in a different location within the .cab files. In the instructions that follow, while the command provided tells the extraction program to start in a specific location, the command also includes the "/a" switch. This command switch will cause the extract program to search recursively through all of the cabinet files that follow, in sequence, until it finds the indicated file. It will not search, however, for file that are in the previous .cabs. For example, the command for Windows 98, extract /a win98_40.cab explorer.exe /L c:\windows, will start with .cab 40, then search .cab 41, and so on. It will not search .cab 39 or previous .cab files.

      The Windows 98 .cab files usually begin at 21 and typically end in the upper 70's (usually 74). We have the search begin with .cab 40 because, in most cases, these files are in .cab 44 or 45. This is done to speed up the search for these files. If you have a version of the Windows installation files that are different then the standard format, then you will have to adjust the command accordingly. For example, if you have Windows 98 and the command extract /a win98_40.cab explorer.exe /L c:\windows does not locate the explorer.exe file, and you are sure that you have entered it exactly as shown, try changing the number of the .cab file in which the search starts, for example, to extract /a win98_20.cab explorer.exe /L c:\windows

    To extract files that are located on the hard drive:
    1. Type dir /s /b \precopy1.cab and then press Enter: This displays the path to the Precopy1.cab file. If the file is not found, then it is likely that the .cab files are not on the hard drive. In which case you should skip to the section To extract files that are located on the installation CD.
    2. Change to the folder where the Precopy1.cab file is located.
    3. What you do next depends on which operating system you are using:
        NOTES:
        • If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
        • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
        • If Windows is installed to a different location, then substitute the appropriate path.

        CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.
      • If you are using Windows 98, then type the following commands, and press Enter after each one:

        extract /a precopy1.cab wsock32.dll /L c:\windows\system
        extract /a win98_40.cab explorer.exe /L c:\windows
        extract /a win98_40.cab rundll32.exe /L c:\windows
      • If you are using Windows 95, then type the following commands, and press Enter after each one:

        extract /a win95_10.cab wsock32.dll /L c:\windows\system
        extract /a win95_10.cab explorer.exe /L c:\windows
        extract /a win95_10.cab rundll32.exe /L c:\windows
      If you do not see any error messages, then you are finished with the extraction process. Proceed to the section Edit the registry.

    To extract files that are located on the installation CD:

    NOTES:
    • The instructions that follow are for the most widely-distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the files that you need to extract in a different .cab file. It is beyond the scope of this document to include instructions for every version.
    • If you do not have the Windows installation CD for which the following commands were written, then you may have to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information on this, see the document Which cabinet files contain the original Windows files?
    1. Insert the Windows 98 Startup disk in the floppy disk drive.
    2. Insert the Windows 98 Installation CD in the CD-ROM drive.
    3. Turn off the computer, and then wait thirty seconds.
    4. Turn on the computer. The computer starts to a startup menu.
    5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
    6. Allow the computer to finish booting to a A:\> prompt. This could take a few minutes.
    7. The next step is to change to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is the D drive in Windows, it will be the E drive.

      Type the following, changing the drive letter as necessary, and then press Enter:

      e:\win98 (If the installation disk is for Windows 98)

      or

      e:\win95 (If the installation disk is for Windows 95)

      If you see an error message, then try retyping the command with a different drive letter, for example, f:\win98
    8. What you do next depends on which version of Windows you are running:
        NOTES:
        • If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
        • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
        • If Windows is installed to a different location, then substitute the appropriate path.

        CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.
      • If you are running Windows 98, then type the following commands, and press Enter after each one:

        extract /a precopy1.cab wsock32.dll /L c:\windows\system
        extract /a win98_40.cab explorer.exe /L c:\windows
        extract /a win98_40.cab rundll32.exe /L c:\windows
      • If you are running Windows 95, then type the following commands, and press Enter after each one:

        extract /a win95_10.cab wsock32.dll /L c:\windows\system
        extract /a win95_10.cab explorer.exe /L c:\windows
        extract /a win95_10.cab rundll32.exe /L c:\windows

    If you experience no error messages, then you are finished with the extraction process. Proceed to the next section.

    To edit the registry:

    Follow these steps to remove the entry that the virus added to the registry:

    CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
    1. Remove the floppy disk from the floppy disk drive.
    2. If you extracted the files from the Installation CD, then remove the CD from the CD-ROM drive.
    3. Turn off the computer, and then wait thirty seconds.
    4. Turn on the computer, and allow Windows to start.

      NOTE: It is normal at this point for error messages to appear. They will refer to the virus files with messages, such as "Windows cannot find...." Ignore these messages. They are the result of the remaining entries in the Windows registry that you will remove next. They do not indicate that the computer is still infected.
    5. Click Start, and then click Run. The Run dialog box appears.
    6. Type regedit and then click OK. The Registry Editor opens.
    7. Navigate to and select the following subkey:

      HKey_Local_Machine\Software\[Matrix]
    8. Press Delete, and then click Yes to confirm.
    9. Navigate to and select the following subkey:

      HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
    10. Delete the following value in the right pane:

      SystemBackup C:\WINDOWS\MTX_.EXE
    11. Click Yes to confirm.
    12. In the left pane, click the My Computer key.
    13. Click the Edit menu, and then click Find.
    14. In the Find what box, type mtx and then click Find Next.
    15. What you do next depends on whether any entries are found.
      • If no entries are found that contain the string mtx, then proceed to the next step.
      • If any entries are found that refer to Mtx_.exe, then you should delete them. Because this is a string search, it could find entries for legitimate programs that happen to contain this string. Make sure that the references is to Mtx_.exe before you delete it. To continue the search if an entry is found, press F3. Keep doing this until no more entries are found.
    16. Perform another find operation, but this time search for [MATRIX]. Delete any entries that are found.
    17. Click the Registry menu, and then click Exit to save the changes and close the Registry Editor.
    18. Restart the computer.

    Revision History:

    September 20, 2002. Downgraded from Category 3 to Category 2 based on decreased rate of submissions.


    Write-up by: Cary Ng and Peter Ferrie