MTX is a worm-like virus from 2000. It was extremely advanced for its time and is still a curiosity. MTX was one of the most popular self-replicators of mid 2000. It has some similar features to Hybris and Happy99. It was relatively popular in the early 2000's though it did not have much of an impact, lacking any malicious payload.

Behavior

MTX arrives in an email with a blank subject line and message body, and in an attachment with a variable name and a .scr, .exe or .pif extension. It will likely arrive the same time as another nonmalicious email that was actually sent by the person in the sender line.

When a file infected with MTX is executed, the virus is decrypted and it scans the Windows Kernel for API functions. It then scans for certain antivirus products and will only continue if it does not find them. It creates three files in the windows folder: IE_PACK.EXE (contains code for spreading the viruses over email), WIN32.DLL (same as IE_PACK.EXE, but infected with the virus) and MTX_.EXE (Backdoor code). It infects Portable Executables in the Windows, temp and current directories and the virus exits.

It hooks the WSOCK32.DLL "send" function by adding some of its own code to the end of the file. WSOCK32.DLL is usually in use when the virus is first executed, so MTX creates a a copy of it as WSOCK32.MTX, infects the copy, then modifies WININIT.INI file to replace WSOCK32.DLL with WSOCK32.MTX the next time the system starts. With this infected copy of WSOCK32.DLL, the virus can monitor the user's Internet activity. It prevents the user from visiting some security sites or sending email to certain mostly security-related addresses.

This also helps the worm intercept all emails sent from the computer to check the address it is being sent to. It sends an email to that address with no subject or message body, but WIN32.DLL as an attachment. The name of the attachment will be changed to one of over 30 possible names and a .pif, .exe or .scr extensions.

When the Backdoor component is run, it checks for the registry key HKLM\Software\[MATRIX], indicating the backdoor is already on the system and stops if it is found. If not, it adds itself to the local machine run registry key to ensure it runs when the system starts. It starts as a hidden service that retrieves files from an Internet server.

Variants

There are several variants of MTX, most of them relatively similar. There is one variant that drops one of the few malware for the PalmOS. This is the Palm/MTX.II.A trojan. All it really does is display some greetings to other virus coders and then some animated boxes.

Effects

MTX made the virus charts, but did not make much of an impact. A year after it was released, it was number 8 on the charts. Two years later, a variant of MTX was at number 10.

Sources

F-Secure Antivirus, Worm:W32/MTX.

OnLine Services, W95/MTX.gen@M.

John Leyden. The Register, Thousands of idiots still infected by SirCam. 2001.10.02

-. -, Klez tops the virus charts. 2002.07.31

Eric Chien. Symantec, Palm.MTX.II.A. 2001.09.03