posted on December 11, 2000 02:35:42 PM
Does anyone know anything about this virus and how to get rid of it?
ANTI_CIH.EXE Type: unspecified type (application/octet-stream)
I got it a few days ago and only found out when a customer emailed to let me know that I had sent it to them. It comes as a separate attachment to my emails.
I have Norton Anti-virus which shows my system to be clean of viruses and didn't warn me about this one. I tried to go to Norton Online help site but my computer crashes everytime I try to access it. I tried to use the Norton Recovery but it also causes a crash. We got the newest Norton anti-virus program today but it won't load into the system without crashing.
I've got tons of emails that I need to send out but can't until I figure out how to get this off my computer.
posted on December 11, 2000 02:54:29 PM
Sounds like the MTX virus. Once infected it stops people from seeking info and help from a number of antivirus software sites. I think there are some versions of AV software and sites NOT blocked by it but need to check. Here's the first article I just found on it but it's had a number of writeups on various sites lately:
posted on December 11, 2000 03:03:29 PM
Thanks to both of you.
Stockticker - I just downloaded and ran the test that was provided on your link and it reported that I don't have the CIH virus. Could this be a different version of the virus that they can't detect - I'm sorry but I'm totally confused.
Not paranoid anywhere else but here! edited to say Siggy I'm checking your site now. Thanks!
[ edited by mybiddness on Dec 11, 2000 03:04 PM ]
posted on December 11, 2000 03:06:25 PM
It's not CIH which was an earlier virus. It's MTX. The file name you described is included in the article I posted. Trying to remember and check which AV site boasted it wasn't blocked by this varmit.
posted on December 11, 2000 03:11:52 PM
I've tried to connect to the link twice but keep crashing - It automatically sends me to "quick reload" and says that a crash is detected. Is there a specific link within that site that I can try to get to? Thanks again!
posted on December 11, 2000 03:18:57 PM
That thing may be mucking up your machine. Wondering if it's blocking other than AV sites as well. Here's the link to the instructions for removal in that article. See if you can get there:
posted on December 11, 2000 03:35:25 PM
OK, the instructions in the article involve changing the registry which gives me the heebie jeebies as I'm not that swift. If you can back up the registry do so before attempting any changes.
But here also is an AV site (AVG by Grisoft) which provides free software and includes MTX in its definitions. Hoping it's not blocked:
posted on December 11, 2000 03:42:54 PM
I got into the last link that you gave me but it crashed soon after - this time it actually froze up everything so that I had to pull the plug so to speak.
I haven't had a problem accessing eBay - so I don't know what makes it crash on those sites. Maybe it's something this virus is programmed to do???
I'll try the next link but may have to shut down soon and let the hubby work on it later. If someone's going to kill my computer I'd rather it be him - so I can yell at him about it!
posted on December 11, 2000 03:44:15 PM
This is from Symantec, which I gather you cannot access?
Discovered on: August 17, 2000
Last Updated on: December 7, 2000 2:58:01 PM PST
W95.MTX has a virus component and a worm component. It propagates using email. Also it infects some Win32 executables in specific directories. The virus also has the capability to block access to certain web sites. This may prevent users from downloading new virus definitions.
Also known as: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll)
Category: Worm, Virus
Infection length: 9250 (variable)
Virus definitions: August 28, 2000
W95.MTX Fix Tool
This tool repairs damage done by the W95.MTX virus. Due to the nature of this virus, some files will not be repairable. The unrepairable files will need to be restored from clean backup copies, or from the original distribution disks. Please click here for further instructions after running the tool.
To use the tool, we recommend you download the http://www.symantec.com/avcenter/fixmtx.exe and save it in a new folder on the Windows Desktop (SARC suggests you name the folder fixmtx). After the file finishes downloading:
Close all programs, including your Web Browser.
Click Start, point to Programs, and then click MS-DOS Prompt. An MS-DOS window will open.
Change to the following location where you saved the fixmtx.exe tool by typing the following and pressing Enter:
cd \windows\desktop\fixmtx
At the C:\windows\desktop\fixmtx> prompt, type the following and press Enter to scan ALL FILES ON THE INFECTED SYSTEM
fixmtx c:\
What the tool does
After running W95.MTX Fix Tool, all Web sites previously blocked will be accessible.
The tool scans for and repairs (where possible) infected files. If an infected file cannot be repaired (because it has been corrupted), then a message will appear which says that. You will need to restore the damaged files from backup or from the original distribution disks. The worm files are deleted if they are found.
The tool repairs wsock32.dll by removing the virus code. If wsock32.dll is in use at that time, then a copy is made of wsock32.dll and this copy is repaired. Then a wininit.ini will be created and a request to reboot will be printed after scanning is complete. When the machine is rebooted, the wsock32.dll will be replaced with the clean copy.
To verify the digital signature of fixmtx.exe
To verify the digital signature of fixmtx.exe using chktrust.exe:
Download chktrust into the same directory where fixmtx.exe is located:
Launch the MS-DOS prompt via the Start/Programs/MS DOS prompt menu.
Change to the directory where fixmtx.exe and chktrust.exe are stored. If the files were saved to the desktop folder the command to enter in the MS DOS prompt is:
cd \windows\desktop
Type the following command to check the digital signature of fixmtx.exe:
chktrust -i fixmtx.exe
If the digital signature is valid you will see a dialog asking the following question:
"Do you want to install and run "FixMTX" signed on 10/17/2000 5:04PM and distributed by Symantec Corporation."
The date and time that are displayed in this dialog will be adjusted to your timezone if your computer is not set to the Pacific time zone. For example, if you live in the Eastern time zone the date and time you will see will be 10/17/2000 8:04PM.
*If you have the Daylight Savings feature activated on your computer's clock, the time displayed will be exactly one hour earlier.
You might also see the text message "Result:0" displayed following the command line. If you do, then the test is positive and the file is confirmed as being from Symantec.
If this dialog or text message do not appear or the date and time are not properly adjusted for your timezone do not use your copy of fixmtx.exe. It is not from Symantec.
If this dialog appears and the text is correct for your timezone this copy of fixmtx.exe is from Symantec.
Click the "Yes" button to dismiss the chktrust dialog.
Type exit and then press the enter key. This will terminate the MS DOS session.
posted on December 11, 2000 03:51:00 PM
Here's more info from Computer Associates:
Mtx (also known as Win95.Mtx, W32/MTX@mm, W32/Apology, W32/MTX and I-Worm.MTX)
Win95. Mtx is a 32-bit virus that has worm-like behavior and drops a trojan. It uses an infection method called "entry point obscuring". This means that rather than executing the virus at the very start of an infected program (the "entry point", it can patch the program at almost any point inside its code. This is designed to make detection more difficult; the virus might not activate straight away when an infected program is run. For example, the virus may only activate when a particular function of the infected program is used.
When the virus is run, it infects files in the Windows directory. Win95.Mtx then unpacks and drops its worm component twice in the Windows directory as files with the following names:
"Ie_pack.exe"
and "Win32.dll"
A trojan file named "Mtx_.exe" is also dropped in the Windows directory, and the following registry key (which runs the trojan each time Windows reboots) is created:
The trojan attempts to download and run files from a website which may contain other malicious programs. Next, the worm part is launched and creates a modified version of Wsock32.dll. It then overwrites the wininit.ini file with its own copy. (The wininit.ini file is only present on the system when required. When the system starts, commands in this file will be carried out and the file will be deleted). The virus' wininit.ini file contains commands to replace the original version of Wsock32.dll file with its own when Windows reboots. Once the original version is replaced, the new Wsock32.dll intercepts information being sent (by the send() function) from the computer to the network. If it detects that an e-mail is being sent, it will immediately send a second e-mail to the same recipient. The second e-mail has no subject and no body; merely an attachment which is randomly picked from a list of names within the code (shown here in the same order as in the infected file):
In addition, the replacement Wsock32.dll monitors the location of HTTP requests (web-browsing), and the address of e-mail recipients. The program will crash if it detects that the user is attempting to either access an anti-virus site or send e-mail to an anti-virus company. It detects this communication by searching for substrings and strings in the domain name from the following lists:
Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
Visit us: www.coderz.net/matrix
Cleaning Instructions:
Please ensure that you have the latest virus engine and signature files installed on your PC;
Open your anti-virus program and configure it to detect and clean infected files;
Perform a full scan of the hard-disk;
Reboot your computer.
If you are still having difficulty removing the virus, you will need to boot your machine in DOS-mode (from a clean system disk) and run an up-to-date rescue utility that is available with your anti-virus program.
------------------
So it seems to detect things in the url which trigger a crash. Clever and nasty.
Computer Associates provides the free Incoculate antivirus software but perhaps you can't get there either:
posted on December 11, 2000 04:11:15 PM
Well, it looks like I've already killed it myself. I'm typing this from hubby's computer. I tried to go to Symantic link and it went to quick reload mode. Then it went into a blue screen with "fatal exception occured" - Geeez!
How can I ever get rid of this virus if I can't get to any of the links....Frustrating.
I'll try to explore some of the sites from this computer - it's slow and persnickity, but at least it doesn't have a virus.
posted on December 16, 2000 09:50:57 AM
I was wondering how she was faring as well. Also wanted to know if the Norton on the infected machine was updated since I think they included MTX in their virus definitions a few weeks ago. Want to know if it slipped by an updated version. That would be really scary.
posted on December 16, 2000 10:21:43 AM
Hi - thanks for asking. The RT was one of my first places to visit now that I'm REVIVED AT LAST!
The virus ended up eating my hard drive - we tried all the different remedies but one of the techs my husband talked to said that this was an advanced version of the MTX supervirus. I had Norton anti-virus on my system but hadn't upgraded the virus scan in at least a month so I'm not sure if that would have caught it or not. Two people that I accidently sent it to said that their Norton was updated but didn't catch it but that their Mail 2000 did. I think that that's the mail program referred to in the first link... whatever it is I'm finding it and getting it. I'm glad that I had only emailed a hand full of people before I realized something was wrong. When the computer first started acting strangely I did a virus scan and Norton showed the system clean of viruses.
I still can't get over the fact that some people are so sick minded that they spend their time inventing this kind of crap. We used all the info in the links you guys provided and my system just couldn't get through any of them without crashing. We even tried deleting the entire hard drive but I kept getting wierd messages like "be_netaware" is password protected and can not be deleted. Basically, we could delete everything but the virus. The more we tried - the more it ate and corrupted.
I'm still mad at myself for opening an attachment... I know better. Luckily I had most of my files backed up or it could have been worse. As it is, I've still got a ton of stuff to re-load, etc.
We switched to McAfee anti-virus with a firewall but if any of you have any better ideas - I'm wide open for suggestions. I never took viruses too seriously since I had Norton. It seems that the viruses are getting more and more sophisticated... scary thought.
posted on December 16, 2000 12:30:14 PM
Hello mybiddness. I'm sorry to hear about your problems and am glad to see you're back in business.
One thing I would suggest EVERYONE do is to make a backup copy of your winsock32.dll (wsock32). Many of these worms/trojans/viruses corrupt this winsock .dll and unless you know how to extract a fresh one from the Window's cab files it's a good idea to just make a copy and store it on a floppy or anywhere other than your Win system directory. This simple procedure may very well save your ass one day.
Blanche
[ edited by bhearsch on Dec 16, 2000 12:30 PM ]
posted on December 16, 2000 01:35:39 PM
Good to see you back but boy, what a mess! EEK!
I figure the Mail 2000 comment was a reference to MS Outlook 2000 which comes with MS Office 2000, evidently. I don't have Office 2000 so don't know squat about it. But here's an article on Outlook 2000. (And of course there's always the Microsoft site to check things out.)
Don't know much about current McAfee products. I didn't care for their AV years ago so dumped it. For a firewall I use the free ZoneAlarm. http://www.zonelabs.com/default.htm
You might want to look into getting an anti-Trojan program as well since those rats are out there too. AV products focus more on viruses than Trojans. Although they do protect against a number of Trojans, it's usually not their main focus. So a little extra protection (or paranoia) is a good thing. One anti-Trojan software is BOClean and their site is:
, it can patch the program at almost any point inside its code. This is designed to make detection more difficult; the virus might not activate straight away when an infected program is run. For example, the virus may only activate when a particular function of the infected program is used.
