NetPlus communications     W95.MTX Virus Information

NetPlus Users Beware! There is a new virus spreading rapidly throughout the internet.   W95.MTX has a virus component and a worm component. It propagates using email. Also it infects some Win32 executables in specific directories. The virus also has the capability to block access to certain web sites. This may prevent users from downloading new virus definitions.

Here is a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

W95.MTX Fix Tool

This tool repairs damage done by the W95.MTX virus (for more information). Due to the nature of this virus, some files will not be repairable. The unrepairable files will need to be restored from clean backup copies, or from the original distribution disks.

How to obtain and use the W95.MTX Fix Tool

To use the tool, we recommend you download the fixmtx.exe file and save it in a new folder on the Windows Desktop (SARC suggests you name the folder fixmtx). After the file finishes downloading:

  1. Close all programs, including your Web Browser.
  2. Click Start, point to Programs, and then click MS-DOS Prompt. An MS-DOS window will open.
  3. Change to the following location where you saved the fixmtx.exe tool by typing the following and pressing Enter:

    cd \windows\desktop\fixmtx

  4. At the C:\windows\desktop\fixmtx> prompt, type the following and press Enter to scan ALL FILES ON THE INFECTED SYSTEM

    fixmtx c:\

What the tool does

After running W95.MTX Fix Tool, all Web sites previously blocked will be accessible.

The tool scans for and repairs (where possible) infected files. If an infected file cannot be repaired (because it has been corrupted), then a message will appear which says that. You will need to restore the damaged files from backup or from the original distribution disks. The worm files are deleted if they are found.

The tool repairs wsock32.dll by removing the virus code. If wsock32.dll is in use at that time, then a copy is made of wsock32.dll and this copy is repaired. Then a wininit.ini will be created and a request to reboot will be printed after scanning is complete. When the machine is rebooted, the wsock32.dll will be replaced with the clean copy.

Updated: October 23, 2000

This information was obtained from www.symantec.com
 More on this virus: http://www.symantec.com/avcenter/venc/data/w95.mtx.html

Thank you

NetPlus Staff

 

 

 

Page Counter