reader_digest_letter virus

[Bobby Lee]

I just received an email virus as an attachment from a Forum member. The attachment was named reader_digest_letter.pif but apparently it can have a lot of names. The email had no title, and the body of the message was blank.

This is a real nasty one. It even blocks access to the anti-virus pages on the web. It's called the W95.MTX virus. Here's a link to the Symantec page about it: www.symantec.com/avcenter/venc/data/w95.mtx.html

Here's a description from that page: <BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>Worm component
The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then modified to point to its own code. This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email (using the same program).

Here are a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

Virus component
The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll.

The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8K in size, and has at least 20 import call instructions. If not, the file is not infected by the virus.

The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is invisible in the Task List.</SMALL><HR></BLOCKQUOTE> I urge people to never send executables by email, and never open them if someone else sends them. This is a very destructive virus, and it's very hard to get rid of.

------------------
<small><img align=right src="http://b0b.com/b0b.gif" width="64" height="64">Bobby Lee - email: quasar@b0b.com - gigs - CDs
Sierra Session S-12 (E9), Speedy West D-10 (E9, D6),
Sierra 8 Laptop (D13), Fender Stringmaster D-8 (D13, A6)

[Ingo Mamczak]

Thanks for bringing it to our attention b0b .
Ingo .

[b0b]

I just got it again, from another Forum member. Apparently one of the symptoms is that they can't read Forum messages.