You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

MTX

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

MTX infects Windows files in PE (Portable Executable) in the WINDOWS and TEMP directories and in the directory that it active at the time of infection.

The extensions of these files include EXE, DLL, OCX, SCR and CPL. When a file infected by MTX is run, the virus carries out new infections.

The effects of MTX are:

  • It downloads files from the Internet, which it saves in the infected computer using a Trojan component incorporated in this worm.
  • It automatically sends itself out every time the affected user sends a message.

Infection strategy 

MTX creates the following files:

  • WSOCK32.MTX, in the Windows system directory, as an infected copy of the WSOCK32.DLL file.
  • WININIT.INI, in the Windows directory. The function of this file is to replace the original WSOCK32.DLL library with the infected WSOCK32.MTX.
  • WIN32.DLL, IE_PACK.EXE and MTX_.EXE, in the Windows directory. These files are hidden so the user will not be aware that they exist.

MTX modifies the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    By inserting this modification, MTX ensures that it is activated every time the computer is started up, by running the MTX.EXE file.
  • HKEY_LOCAL_MACHINE\ Software
    MTX inserts a “mark” in this entry, which consists of a file called [MATRIX]. Through this mark, MTX will recognize that the computer has already been infected.

In order to avoid detection, MTX uses a technique known as EPO (Entry Point Obscuring). It does not modify the entry point of the original file it infects, but inserts a new instruction in this entry (which will make a call to activate the virus).

Means of transmission 

MTX spreads rapidly via e-mail in an attachment to an e-mail message. This file has two extensions; one of which is: EXE, SCR or PIF.

  • The file name varies in each infection and can be one of the following:
    NEW_NAPSTER_site.TXT.pif
    METALLICA_SONG.MP3.pif
    ANTI_CIH.EXE
    INTERNET_SECURITY_FORUM.DOC.pif
    ALANIS_Screen_Saver\ SCRREADER_DIGEST_LETTER.TXT.pif
    WIN_$100_NOW.DOC.pif
    IS_LINUX_GOOD_ENOUGH!.TXT.pif
    QI_TEST.EXE
    AVP_Updates.EXE
    SEICHO-NO-IE.EXE
    YOU_are_FAT!.TXT.pif
    FREE_xxx_sites.TXT.pif
    I_am_sorry.DOC.pif
    Me_nude.AVI.pif
    Sorry_about_yesterday.DOC.pif
    Protect_your_credit.HTML.pif
    JIMI_HMNDRIX.MP3.pif
    HANSON.SCR
    FUCKING_WITH_DOGS.SCR
    MATRiX_2_is_OUT.SCR
    zipped_files.EXE
    BLINK_182.MP3.pif
  • When the attached file is run, MTX carries out its infection. From then on, MTX waits until a new e-mail message is sent from the infected computer.
  • When the user sends a message to any recipient, MTX immediately spreads.
    In order to do this, MTX sends another message to the same recipient (provided that the address does not correspond to an antivirus company), attaching an infected file to it.