IT@TT - Online

Another Flash in the Pan

Here hot information about a potentially dangerous virus. ProLin.A is a new Internet worm that promotes the use of Linux. Also known as Shockwave.A, the infector is similar to the ILoveYou virus and also spreads through Microsoft Outlook. The virus arrives as an e-mail with the subject as "A great Shockwave flash movie" and attachment CREATIVE.EXE. This displays a Flash movie icon. The Message body includes the statement "I could have done far better damage. I could have even completely wiped your hard disk." It is signed "The Penguin" a possibly (veiled) reference to Tux, Linux's penguin mascot.

Opening the attachment copies the worm into your Windows folder. Here it adds a hidden shortcut to the Startup-Menu so that the worm loads every time Windows launches. The worm also sends a copy of itself to every contact in your Address Book. Finally it searches your hard drives for .JPG, .MP3 and ZIP files and moves them into the C:\ root after adding "change at least now to LINUX" to the file name.

The worm affects all versions of Windows, including Windows 2000. However, it needs MSVBVM60.DLL; a component of the Visual Basic 6.0 run-time library to execute. Luckily for us, the worm is sloppily coded. A bug in the code prevents the virus from copying itself into the Windows folder if this is not named WINDOWS. The worm also sends out a notification of infection to [email protected]. Kaspersky Labs, Russia has released a cure - (http://www.kaspersky.com/go/restoreProlin/restoreProlin.exe).

Luckily for me I have recently managed (phew!) to apply the Office 2000 Service Pack 1a and the subsequent (just released) Service Pack 2. These both boost Outlook's native security settings and block all harmful attachments. The email shows the attachment icon, but this is locked and you can't open it. I recommend that you immediately patch your Office 2000 ASAP. SP-1a is available on one of the two CD-ROMs accompanying the Nov 2K issue of Network Computing magazine. SP-2 can be downloaded from - http://msvaus.www.conxion.com/download/office2000pro/sp/sp2/w98nt42kme/en-us/sp2upd.exe. it@tt readers do note that several email they sent me this week includes some form of virus attachment!

The second infector is W95/MTX.gen@M. This 32-bit PE file infector affects both Windows 9x and NT systems. It searches for drives or folders shared in the Network Neighbourhood. And then attempts to move files from one host system (yours) to other host systems and vice versa. W32/MTX@MM is a combination virus, worm and backdoor.

The virus part also modifies .DLL and .EXE files, especially in the windows folder. The worm and backdoor send infected email to every contact in your Address Book. This email has an attachment with a .PIF or .EXE extension. However, regardless of the extension, the attachment is a .EXE file.

Removing this virus requires that you search your local drive for IE_PACK.EXE , MTX_.EXE , WIN32.DLL and WSOCK32.MTX. MTX_.EXE runs as a process making Internet calls every 2 minutes on TCP port 1137. The worm also modifies the WININIT.INI file to replace calling the regular WSOCK32.DLL file with the virus dropped WSOCK32.MTX after next reboot. You also need to search through your Registry for "HKLM\Software\[MATRiX]" and "HKLM\Software\Microsoft\Windows\CurrentVersion\RunSystemBackup = "C:\WINDOWS\MTX_.EXE""

G Menon
[email protected]

Top