Hi Avery,
You are going to have to delete the files that are infected and then re
install them from either the windows cd or from cabs files.
I know of your difficulty in accessing the sites that would allow you to
get rid of the problems.
I have attached f-prot for dos which can tell you which files to delete.
You will need unzip for dos to to unzip this file--it is no longer a self
extracting archive.
NOTE: no attachment to the list--contact me directly if you need help.
I have pasted the directions on what to do in this email--print them out
before you start. Best of luck!
Worm component
The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx.
The Send export function of this .mtx file is then modified to point to its
own code. This allows the virus to mail a copy of the worm infected with
this virus to the same person to whom the user sends an email (using the
same program).
Here are a list of file names that this virus might use when it sends the
infected worm to other people. For those files with .pif extensions, the
.pif extension might not be visible in your mail program.
I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif
Wininit.ini is created by this component, which causes Wsock32.dll to be
deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes
after the computer is restarted. After Wininit.ini is created, this
component runs the virus component.
Virus component
The virus component searches for specific antivirus programs running. If
the virus finds one, the virus does not run. If the virus continues to run,
it decompresses the worm component, drops a copy of it into the user's
Windows directory (typically C:\Windows), and runs it. The name of this
dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed
to Win32.dll.
The virus also drops Mtx_.Exe and runs it. This is a downloader program
that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the
virus are downloaded and executed. It searches for Win32 executables in the
current directory, Windows directory, and the Temp directory. The file to
be infected needs to have a size that is not divisible by 101, is greater
than 8K in size, and has at least 20 import call instructions. If not, the
file is not infected by the virus.
The virus also adds a registry entry that lets the downloader run
automatically every time the system is started. The downloader is invisible
in the Task List.
Removal:
How to repair manually
This is a complex and difficult virus to remove. It alters system files and
on some systems these files cannot be repaired. In some cases, after
attempting to repair the virus, you will not be able to start Windows until
you restore the needed system files from the original Windows installation
CD. This document assumes that you are familiar with basic Windows and DOS
procedures. If you are not, we suggest that you obtain the services of a
qualified computer consultant.
CAUTION:
Windows 98 allows you to create a startup disk that contains both system
files and drivers that will work with most CD-ROMs. Windows 95 does not.
Before you start this procedure, it is strongly recommended that you create
or obtain a Windows 98 Startup disk. This can be used to boot a Windows 95
or a Windows 98 computer. If you do not create this disk first, and the
first part of the removal procedure does not work on your system, you may
not be able to restore some Windows files if this is needed.
NOTES:
Due to the nature of this virus, some files will not be repairable. The
unrepairable files will need to be restored from clean backup copies, or
from the original distribution disks.
To remove this threat you will need to carefully watch Norton AntiVirus
(NAV) during the detection process. The files infected by the virus portion
of W95.MTX should be detected as W95.MTX and W95.MTX (.dll). Any files that
are detected as being infected with either W95.MTX or W95.MTX (.dll) should
be able to be repaired.
Files that are part of the Trojan and worm part of the infection should be
detected as W95.MTX.dr. Any files detected as being infected with
W95.MTX.dr must be removed.
It is important to make the distinction between the virus and the worm
components, because the virus part of W95.MTX can infect Windows system
files and if you delete system files you might damage Windows.
To repair the damage done by this virus, follow in turn the instructions in
each section.
Create or obtain a Startup disk
Before you begin the removal process, you must create or obtain a Windows
98 Startup disk. If you are running Windows 95, you may be able to obtain
one from a local computer store. To create one on a Windows 98 computer,
follow these steps:
1.Click Start, point to Settings, and then click Control Panel.
2.Double-click Add/Remove programs.
3.Click the Startup disk tab.
4.Place a new, formatted floppy disk in the floppy disk drive.
5.Click Create Disk and follow the prompts.
Ensure that you have the most recent virus definitions
You must have Norton AntiVirus installed, and you must have virus
definitions dated September 5, 2000 or later. If you do not, because this
virus locks access to most antivirus vendors Web sites, including
Symantec's, you will not be able to run LiveUpdate or download the
definitions from the SARC Web site.
There are two ways to work around this:
If you have access to an uninfected computer, download the most recentd
definitions from the SARC Web site, and then install the definition files
on the infected computer. For instructions on how to do this, see the
following documents:
Title: How to update virus definition files using the Virus Definition
Update Installer
Document ID: 1998082013035306
Title: How to update virus definitions on computers without Internet or
network connections.
Document ID: 199811293832
If you do not have access to a uninfected computer, you can download the
Virus Update Definition Installer from the Tucows Web site. Follow these
steps to do this:
1.Go to the following URL:
http://www.tucows.com
2.In the Search Software Library! box, type the following and then click GO!:
norton dat
3.Locate the entry--it should be the first in the list--for the Platform:
Windows 95/98 and then click Download Now.
4.Choose your region and state or locality and then click GO!
5.Click the download site nearest your location.
6.Download the file to a location on the hard drive such as the Windows
desktop.
7.When the download is finished, double click the file that you downloaded
to install it.
Restart the computer to a command prompt
You need to restart the computer to a command prompt. Follow the steps for
your operating system:
How to start Windows 95 to a command prompt:
1.Click Start and click Shut Down. The Shut Down Windows dialog box appears.
2.Click Restart, then click Yes. Windows will shut down and the computer
will restart.
3.When "Starting Windows 95..." appears on the screen, press F8. The
Windows 95 Startup Menu appears.
4.Select "Command Prompt only" and press Enter.
How to start Windows 98 to a command prompt:
1.Click Start and click Shut Down. The Shut Down Windows dialog box appears.
2.Click Restart, then click OK. Windows will shut down and the computer
will restart.
3.As the computer restarts, press and hold down the Ctrl key until the
Windows 98 Startup Menu appears. Note: On some computers, a keyboard or
other error may appear during restart as you hold down the Ctrl key. If so,
then follow the prompts to press a key to continue (for example, the
message may prompt you to press the Esc key), then immediately press the
Ctrl key again.
4.Select "Command Prompt only" and then press Enter.
Delete the infected files
Follow these steps to delete the infected files:
NOTE: These instructions assume that you have Windows installed to the
default location of C:\Windows. If you have Windows installed to a
different location, please make the appropriate substitutions.
1.Type each of the following commands and press Enter after each one:
set path=c:\windows\command;%path%
cd \windows
attrib -r -s -h *.*
<Note from Don Rose--delete what ever files f-prot says are
unrepairable--make a note of the path so that you can re install them in
the right spots.>
del ie_pack.exe
del win32.dll
del mtx_.exe
NOTE: If after entering any of these commands, you see a messages such as
"File not found," type the command again to make sure that it was typed
exactly as shown. For example, ie_pack.exe is "ie" then an underscore then
"pack.exe"
2.Type the following command and then press Enter after each one:
dir /s \navdx.exe
This will search the hard drive for the location of the Norton AntiVirus
DOS scanner. If you have NAV installed to a different drive, changed to the
root of that drive first.
3.Write down the location that follows "Directory of," for example,
C:\Progra~1\Norton~1.
4.Change to the directory whose location you wrote down in the previous
step by typing cd followed by the path. For example, to change to the
default location shown in step 3, type the following command and then press
Enter:
cd \progra~1\norton~1
5.Type the following command and then press Enter:
navdx /a /doallfiles /repair /delete
This will scan all hard drives and files. NAV will attempt to repair any
onfected files; if it cannot repair an infected file, the file will be
deleted.
CAUTION: This could take several hours or more on some computers.
Do not attempt to stop the scan once it has started.
6.When the scan is finished, go on to the next section.
Extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files
This is necessary because these files have very likely been infected by the
virus and are critical for accessing the Internet and using the computer.
You need to use the Extract command at a DOS prompt to restore good copies
of these files from the Windows installation files.
There are two locations from which these files can be extracted:
The Windows installation files on your hard drive. On many newer computers,
the Cab files that contain the Windows installation files are stored on the
computer's hard drive. If you are sure that this is the case, see the
section How to extract files that are located on the hard drive.
The Microsoft Windows 95/98 Installation CD. If you do not have the Cab
files on the hard drive, see the section How to extract files that are
located on the installation CD.
How to extract files that are located on the hard drive
1.Type the following and then press Enter:
dir /s \precopy1.cab
This will search the hard drive for the location of the Cab files. If the
file is not found, it is likely that the Cab files are not on the hard
drive. Skip to the section How to extract files that are located on the
installation CD.
2.Write down the location that follows "Directory of," for example,
C:\Windows\Options\Cabs.
3.Change to the directory whose location you wrote down in the previous
step by typing cd followed by the path. For example, to change to the
location shown in step 2, type the following command and then press Enter:
cd \windows\options\cabs
4.What you do next depends on which operating system you are using:
NOTES:
If after entering any of these commands, you see a messages such as "File
not found," type the command again to make sure that it was typed exactly
as shown.
If you see a message asking if you want to overwrite a Yes/No/All) type Y
and then press Enter.
If you have Windows installed to a different location, please make the
appropriate substitutions.
If you are using Windows 98, type the following commands and press Enter
after each one:
extract /a precopy1.cab wsock32.dll /l c:\windows\system
extract /a win98_40.cab explorer.exe /l c:\windows
extract /a win98_40.cab rundll32.exe /l c:\windows
If you are using Windows 95, type the following commands and press Enter
after each one:
extract /a win95_10.cab wsock32.dll /l c:\windows\system
extract /a win95_10.cab explorer.exe /l c:\windows
extract /a win95_10.cab rundll32.exe /l c:\windows
If you experience no error messages, then you are finished with the
extraction process. Go on to the section Edit the registry.
How to extract files that are located on the installation CD
1.Insert the Windows 98 Startup disk in the floppy disk drive.
2.Insert the Windows 98 installation Cd in the CD-ROM drive.
3.Turn off the computer and wait thirty seconds.
4.Turn on the computer. The computer will start to a startup menu.
5.The default menu item is Start Computer with CD-ROM Support. Do not
change this, but instead press Enter.
6.Allow the computer to finish booting to a A: prompt. This could take a
few minutes.
7.The next step is to change to the CD-ROM drive. Because you are using
the Startup disk, the drive letter will be one letter greater than the
drive letter that usually represents the CD-ROM drive. For example, if the
CD-ROM drive is the D: drive in Windows, it will now be the E: drive.
Type the following, changing the drive letter as necessary, and then press
Enter:
E:\Win98 (If the installation disk is for Windows 98)
or
E:\Win95 (If the installation disk is for Windows 95)
If you see an error message, try retyping the command with a different
drive letter, for example, F:\Win98.
8.What you do next depends on which operating system you are using:
NOTES:
If after entering any of these commands, you see a messages such as "File
not found," type the command again to make sure that it was typed exactly
as shown.
If you see a message asking if you want to overwrite a file,(Yes/No/All)
type Y and then press Enter.
If you have Windows installed to a different location, please make the
appropriate substitutions.
If you are using Windows 98, type the following commands and press Enter
after each one:
extract /a precopy1.cab wsock32.dll /l c:\windows\system
extract /a win98_40.cab explorer.exe /l c:\windows
extract /a win98_40.cab rundll32.exe /l c:\windows
If you are using Windows 95, type the following commands and press Enter
after each one:
extract /a win95_10.cab wsock32.dll /l c:\windows\system
extract /a win95_10.cab explorer.exe /l c:\windows
extract /a win95_10.cab rundll32.exe /l c:\windows
If you experience no error messages, then you are finished with the
extraction process. Go on to the next section.
Edit the registry
Follow these steps to remove the entry that the virus added to the registry:
CAUTION: We strongly recommend that you back up the system registry before
making any changes to it. Incorrect changes to the registry may result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys specified. Please see the document How to back up the Windows
95/98/NT registry before proceeding. This document is available from the
Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490,
select option 2, and then request document 927002.
1.Remove the floppy disk from the floppy disk drive.
2.If you extracted the files from the Installation CD, remove the CD from
the CD-ROM drive.
3.Turn off the computer and wait thirty seconds.
4.Turn on the computer and allow Windows to start.
NOTE: It is normal at this point for error messages to appear. They will
refer to the virus files with messages such as "Windows cannot find..."
Ignore these messages. They are the result of the remaining entries in the
Windows registry that you will remove next. They do not indicate that the
computer is still infected.
5.Click Start, and then click Run. The Run dialog box appears.
6.Type regedit and then click OK. The Registry Editor opens.
7.Navigate to and select the following subkey:
HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
8.Delete the following value in the right pane:
SystemBackup C:\WINDOWS\MTX_.EXE
9.Click Yes to confirm.
10.Delete the following subkey:
HKey_Local_Machine\Software\[Matrix]
11.Click Yes to confirm.
12.In the left pane, click the My Computer key.
13.Click Edit and then click Find.
14.In the Find what box, type mtx and then click Find Next.
15.What you do will depend on whether any entries are found.
If no entries are found that contain the string mtx, go on to the next step.
If any entries are found, and they refer to MTX_.EXE, you should delete the
entry. Because this is a string search, it could find entries for
legitimate programs that happen to contain this string.
Make sure that the references is to MTX_.EXE before you delete it. To
continue the search if an entry is found, press F3. Keep doing this until
no more entries are found.
16.Repeat step 11, but this time search for [MATRIX]. Delete any entries
that are found.
17.Click the Registry menu, and then click Exit to save the changes and
close the Registry Editor.
18.Restart the computer.
Write-up by: Abid Oonwala
Tell a Friend about this Write-Up
At 04:58 PM 10/28/2000 -0500, you wrote:
>Jon, Andy, anyone?
Regards,
Don Rose, B.Mus., A.M.U.S., A.MUS., R.M.T., R.P.T.
Tuner for the Saskatchewan Centre of the Arts
drose@dlcwest.com
http://donrose.htmlplanet.com/
3004 Grant Rd.
REGINA, SK
S4S 5G7
306-352-3620 or 1-888-29t-uner
This PTG archive page provided courtesy of Moy Piano Service, LLC