TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
PE_MTX.A
Overview
Solution
Technical Details

Size of malware: 9, 248 Bytes

Initial samples received on: Aug 31, 2000

Related toWORM_MTX.A, BKDR_MTX.A, WORM_MTX.A.DLL

Details:

Infection Routine

This non-memory resident virus is triggered once the program goes into the jump-to-the-virus instruction appended in the host code. It then saves all registries then starts to decrypt its code. Once decrypted, the virus searches for GetProcAddress in the host's import table and utilize this to get other needed APIs.

The virus searches for valid 32-bit applications with EXE and SCR file extensions in the current directory, Windows Temporary directory, and Windows Directory. It infects these files, by looking for API calls within the text section of the application. Then, it patches that API call with a call to the virus code. Afterwhich the virus appends its code to the target file and decrypts it. It also changes the file header entries such as Virtual Size Physical Size and Flags.

Components

Embedded in the virus are two encrypted components:

  • IE_PACK.EXE
  • MTX_.EXE

These files are set to hidden and are dropped in the Windows folder. Trend Micro detects these components as WORM_MTX.A and BKDR_MTX.A respectively. The virus also drops the file WIN32.DLL, which is the infected version of WORM_MTX.A and is detected by Trend Micro as PE_MTX.A.

The virus is able to spread via email using IE_PACK.EXE. This worm component attaches the file WIN32.DLL to the email using different filenames.

The backdoor component of the virus, MTX_.EXE, is a standalone program that is capable of downloading possible Trojans from certain Web sites.

Anti-detection Techniques

This nondestructive file infector is encrypted and has stealth capabilities. It avoids user detection by suppressing the Structured Error Handler (SEH) and by using Entry Point Obscuring (EPO) technique. Furthermore, it does not change the date and time stamp of the infected file.

Other Details

The following text strings are found in the virus:

SABI-.b ViRuS
Software provide by [MATRiX] VX TeAm: Ultras, Mort, Nbk, L0rd
DArk, Del_Armg0, Anaktos
Greetz: All VX guy in #virus and Vecna for help us
Visit us at:
http://www.coder<BLOCKED>.net/matrix

This virus is capable of reinfection. However, it does not continue its execution once it detects that any of the following anti-virus software are running in the system:

  • AntiViral Toolkit Pro
  • AVP Monitor
  • Vsstat
  • Webscanx
  • Avconsol
  • McAfee VirusScan
  • Vshwin32
  • Central do McAfee VirusScan


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.