GEN:SID | 1:734 |
Message | Virus - Possible Matrix worm |
Summary | This event is generated when Matrix worm activity is detected.
|
Impact | Severe - Windows system files can be deleted/replaced/infected (Wsock32.dll, Explorer.exe and Rundll32.exe).
The virus propagation is done when a user sends e-mail, but variants may exist that display other characteristics.
|
Detailed Information | Matrix worm is distributed via e-mail when a user sends some e-mail to a recipient. The attachement name is random. File suffixes can be .exe, .com, .bat, .pif, .scr, .jpg.pif.. etc. The worm code uses plugins which can make the virus really dangerous (e.x. installing backdoors). Removal could be difficult, but free removal tools exist (see below).
|
Affected Systems | |
Attack Scenarios | An attacker sends the Matrix worm using a MIME exploit which executes the virus code automatically. The worm can now distribute itself using the mail client of the user and can install backdoors and infect EXE files.
|
Ease of Attack | Simple. The worm does all the distribution work.
|
Corrective Action | Symantec W95.MTX removal tool: http://www.sarc.com/avcenter/venc/data/w95.mtx.fix.tool.html
|
Additional References | |