Hi all. A friend of mine caught this virus. I have downloaded a couple of programs that say they can remove it. But it is still on the computer. On restart the programs say it is still there. I would appreicate any help and links to find a cure for this. Plus for some reason we can't get to norton or macaffee web sites from her computer eather. I have never heard of a virus blocking out web sites before! She got an e-mail for a server program yesterday that said it was the I Worm.mtx.

Ok went and looked around. Good site. It is bookmarked now. this looks like a nasty little piece of s--t. It will keep me busy for a while. I didn't see any programs to remove it. I'll look around to see if I can find one. Thanks for the info.

Here is the app, called KillMTX. You must reboot and run this from DOS then be sure to remove the dropper file (cannot remember what it is...but it is well known. The dropper file reinfects the system on reboot...
http://www.downlinx.com/proghtml/227/22722.htm
http://www.freedownloadscenter.com/Utilities/Anti-Virus_Utilities/KillMTX.html
http://vaksin.hypermart.net/killmtx.htm

All three are the same program.

Good luck...some guy got this at work.

Dave

Well bad news. I have tried the program Killmtx for the web sites listed by daveleau. It doesn't get rib of this little pest. I have tried the one kill_ez from norton no go eather. It will say it has removed it. Norton scan will grab the kak worm with its scan. The Cleaner will show the computer as clean. When I reboot. It blocks any tries to go to norton or macfee web sites and so on. It also keeps trying to call home. I get the internet connection box coming up on its own.
So lets think of something else I can try. Its starting to look like format C: might be my only fix. I hope not. The person this that box belongs to. Would like for me to save her data if I could.
Here is how she got it. She bought this computer 6 months ago from a local computer shop. They installed norton on it. But they didn't tell her it was a three year old program. It doesn't have e-mail protection built in. You have to do a scan after every thing is download. Well the rest is history. Bet the screaming starts monday morning at around 8:00 am Indiana time. LOL

check it to see if it also the virus described here, www.sexyfun.net (http://www.sexyfun.net) (no its not a porn site). I have seen this virus block the access to various antivirus sites.

You also have to get a new copy of WSOCK32.DLL from a clean machine and copy it via DOS before rebooting. It is the dropper element reinfecting your system. The reason you are not able to disinfect is because the dropper element. You must get rid of it (the deleted files). The files you are to delete (listed below) are NOT found on non-infected systems!

So,
Replace these files:::::
WSOCK32.DLL
EXPLORER.EXE
RUNDLL32.EXE

Delete these files::::
IEPACK.EXE
WIN32.DLL
MTX_.EXE

run KILLMTX
Reboot

Dave

We had this at work and completely erradicated it without reformatting and reinstalling.
http://www.unl.edu/security/virus_alerts/mtx.htm

[This message has been edited by daveleau (edited 04-14-2001).]

Ok got your intructions. First I guess I have to look under one of these dust piles and see if I can find my dos book. It has been a while since I had to move files around in dos. I'll keep you posted how I'm doing. Thanks

Copy both XCOPY files from a ssytem onto a boot disk.

A:\xcopy source destination /v

a:\xcopy a:\wsock32.dll c:\windows\system /v
a:\xcopy a:\explorer.exe c:\windows /v
a:\xcopy a:\rundll32.exe c:\windows /v

Don't remember where IEPACK.EXE or WIN32.DLL or MTX_.EXE are. You cannot see them insode the windows shell, you can only see them in DOS. You can do this to search for it in DOS..

c:\ cd windows
C:\WINDOWS\dir /p (does it by page so you can find the files)
C;\WINDOWS\DEL MTX*.*
C:\WINDOWS\del IEPACK.EXE
C:\WINDOWS\del IEPACK.EXE

Shoudl take care of it. Good luck
Dave

And a little thing to do, assuming it hasn't been mentioned already: make sure the write protect tab is set to locked before putting a floppy in the infected computer. That way, it shouldn't be able to transfer itself out of that system.

Hi all. I'm still fighting it. Didn't find the files to delete. Looked in C:windows--C:windows\system---C:windows\command. Then installed the other files. did a clean with killmtx. Rebooted started to fix the files. Before I got done I run the cleaner and found it was back. I love it. Also on the floppy's they are cheap. These are going in the trash when I'm done. I have had windows write to a disk with the write protect tab set. So won't take a chance on using these agin. They will get broken and pitched when I'm done. Time for bed been fighting this box for to long.

Sorry to hear it. http://www.sysopt.com/forum/frown.gif
What strain is showing up via scan?
Dave

Scan is still showing Iworm.mtx. I have done everthing from the web sites posted. I think this version has a new plug in that added something new to it. This computer ran for about 3 days before she got in touch with me. So it was able to connect and download more plug ins. When I run killmtx it started with 105 infected files. Almost all of them are exe files. But every time I have restarted the cleaning more files are infected. She needs this box by tuesday so I think rather than spend more time. Its time for a reformat. One good thing is. Now I'm getting a lot of practice in dos agin. It has been a while. Glad I kept my old books. I'll check back here a couple times today. It will be later on this evening before I do a format. Got to work on my girls computer for a while.

Need some more help. After doing a format.Twice. I also did a fdisk to make another drive for her to store her data on.
Now what I'm getting is errors on all of her programs. Most are invalid format. Reinstall the program. It does it every time you reinstall something. Won't see her camera eather. So what I'm think is windoze is still picking up part of the old programing off the drive. Now what is a good program that will remove all data from a drive. Or a program that will overright the unused parts of the drive. I will delete all programs. If you know of a good program for that. Windows is the only thing working right. (Or the best you can expect it to). Any other program doesn't.

If you want to overwrite your entire hard drive, you need a "zero fill" utility. (it writes zeros in every sector of the drive). These are usually manufacturer-specific.

However,

I have had a similar virus recently. It infected winsock32.dll and spread to virtually every file accesed in a session. That's a nasty little piece of software. Here is how I got rid of it :

Install some anti-virus software
run the virus scan in *dos safe-mode*
In windows, it is no good, because the program cannot clean files that are currently used in memory (Explorer.exe, for example)
have it clean all the files
At this point, everything should be fine, but you should still replace previously infected system files. (fdisk and format is also an option)

This virus inserts itself in the "free space" of the files it infects... maybe that is why your attempts to format and fdisk did not solve the problem.

to clean disk - there is a command line parameter /mbr that puts in a new master boot record. I can't remember whether it's in fdisk or format -- fdisk i think. So get a clean startup disk (add/remove programs in control panel) from an uninfected machine, write protect it, boot from it and a:\fdisk /mbr -- then partition & format

a:\fdisk /mbr
this redoes your master boot record in Win9X (NOT FOR NT/2000!).

Sorry you are having these problems. The normal versions of IWorm.MTX does not harm your MBR or any other portions of the system except for the files listed above. http://www.sysopt.com/forum/frown.gif

Good luck
Dave

I have a low-level formatting utility that scotter gave to me that is supposed to work for most drives you can use to clean the whole disk to see if that works. fdisk /mbr does not clean the entire disk, just the MBR.

[This message has been edited by daveleau (edited 04-18-2001).]

I think you have been infected with the W32/Hybris.gen@MM virus, AKA, Snowhite and the Seven Dwarfs. The symtoms you describe match exactly what is described at this virus alert: http://vil.nai.com/vil/dispVirus.asp?virus_k=98873
I looked it up because I received an email entitled "Snowhite and the Seven Dwarfs, the real story" from HaHaHa@sexy something, anyhow I deleted the thing without opening it. I had Norton email protection activated and the attachment was gone, hopefully. I believe you have to open the attachment to get infected.

Did your friend receive such an email recently? The above site spells out in detail how to remedy it.

Yes the version of what she got was the same. All the sites I went to. I tryed every fix. Didn't work. This thing had a key somewhere. That no one has seen. So I formated the drive (twice) then I did an f/disk and partitioned to 2 drives for file storage. As far as booting there is no problem. It boots and runs windoze fine. But any program I install says invalide format when I try to start them. I have run system file check. It shows good. Norton 2001 shows good. With current definations. The Cleaner shows no sign of that nasty bug. I think windoze is reading some of the old correpted files from the disk. I'm looking for a program to write all zero's over the whole disk. Or over unused areas. Which ever I can find. The drive is a WD 20 gig 7200 rpm. To reformat agin won't bother me. If I know that it will take and not read some old junk left by dos on a format. I have a 15 gig WD on my shelf right now that I couldn't get a game to reinstall and work right. After 3 formats and reloads. That game still acted bad. So shoot some more ideas. I'll be on tomorrow agin. The virus is gone. just program problems now.

Go to Western Digital's web site and grab their Data Lifegaurd tools. You use it from your PC to create a bootable floppy. Then boot from her PC with it. In that software is the option to write zeros to the drive.

[This message has been edited by prttybean (edited 04-19-2001).]

Ok I'll grab my disk and give it a try. I didn't know it was on the WD disk. Thanks

Made a big mistake on it tonight. Forgot it had a DVD in it. When I was working on it. I made a boot of my computer without DVD. Wiped the drive then couldn't load windoze. LOL. So gotta go back with a cdrom. To finish my job. Tomorrow night.