The Philippines won't be famous for just pineapples and coups. We can now add
Love to the list; in this case the various Love viruses. And just as newspapers
are agog with reports of the perpetrator of the ILoveU virus escaping
prosecution because of procedural issues, comes the news of another virus from
the same country.
The newly discovered DonaldD.trojan, is named after the Disney character
Donald Duck. The subject is "erap estrada" which is the nickname of
the current Philippine president, Joseph Estrada. The Trojan arrives as an email
attachment, and seems to be based on the original Love bug. DonaldD also
collects user names and passwords and transmits them to an as yet unknown
source. So far, the virus appears restricted to the Philippines. However, it is
expected to spread since it uses the Outlook Address Book to proliferate.
Also new is W95.MTX (W95.Oisdbo) that includes a worm and infects some Win32
executables. So far, nearly 1,000 cases have been reported over 10 sites. The
W95.MTX worm makes a copy of WSOCK32.DLL, renaming the original file to
WSOCK32.MTX. The Send Export function of this .MTX file is then modified to
point to its own code. This allows the virus to mail a copy of the virus and
worm to every person to whom the (infected) user sends email.
The virus is smart and uses multiple names, some with a .PIF extension (may
be hidden in Windows). The known variants are: I_wanna_see_you.txt.pif,
Matrix_screen_saver.scr, Love_letter_for_you.txt.pif,
New_playboy_screen_saver.scr, Bill_gates_piece.jpg.pif, Tiazinha.jpg.pif,
Feiticeira_nua.jpg.pif, Geocities_free_sites.txt.pif, New_napster_site.txt.pif,
Metallica_song.mp3.pif, Anti_cih.exe, Internet_security_forum.doc.pif,
Alanis_screen_saver.scr, Reader_digest_letter.txt.pif, Win_$100_now.doc.pif,
Is_linux_good_enough!.txt.pif, Qi_test.exe, Avp_updates.exe, Seicho_no_ie.exe,
You_are_fat!.txt.pif, Free_xxx_sites.txt.pif, I_am_sorrydoc.pif, Me_nude.avi.pif,
Sorry_about_yesterday.doc.pif, Protect_your_credit.html.pif,
Jimi_hendrix.mp3.pif, Hanson.scr, F___ing_with_dogs.scr, Matrix_2_is_out.scr,
Zipped_files.exe, Blink_182.mp3.pif.
The virus also creates WININIT.INI. This in turn deletes WSOCK32.DLL and renames
WSOCK32.MTX to WSOCK32.DLL. The .INI executes after the PC is restarted. Once
WININIT.INI is created, it runs the virus component.
The virus searches for specific antivirus programs. And if it finds one, the
virus disables itself. Otherwise, the virus decompresses its worm component (Ie_pack.exe),
drops a copy into the Windows directory and runs it. After Ie_pack.exe is
executed, it is renamed as Win32.dll. The virus also drops Mtx_.Exe, a
downloader program that goes to a specific Web site (i.am/
plug-ins for the virus are downloaded and executed. The virus then searches for
Win32 executables in the current Windows and Temp directories.
The virus has some limitations; files to be infected needs to have a size not
divisible by 101, must be greater than 8K in size, and have at least 20 import
call instructions. The virus also adds a registry entry that lets the downloader
run automatically every time the system is started. The downloader is invisible
in the Task List.
To remove W95.MTX, delete the W95.mtx, W95.mtx (dll) and W95.mtx.dr files.
Delete the registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run
as value "SystemBackup"="C:\WINDOWS\MTX_.EXE" and then
restore the original Windows files from your system backup.