W32.Shatrix@mm

SUMMARY

W32.Shatrix@mm is a Microsoft Outlook worm that is written in Delphi. It spreads by sending itself to contacts in the Microsoft Outlook address book, and across network drives. The payload attempts to delete .exe files and replace them with itself.

Protection

• Virus Definitions (Intelligent Updater) January 7, 2002

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium
• Large Scale E-mailing: Sends email to all contacts in Microsoft Outlook address book.

Distribution

• Distribution Level: High
• Subject of Email: FW:Shake a little
• Name of Attachment: Shake.exe
• Size of Attachment: 380,928 bytes
• Shared Drives: Copies itself across network drives

TECHNICAL DETAILS

When the worm is executed, it does the following:

It first moves the active window around the screen for a second or two. (If this worm is executed from the desktop and there are no open windows, you will not see the window jumping around.)

Next, the worm copies itself to the WindowsSystem folder as a random eight-character file name with the extension .exe (for example, 3hohd7ec.exe).

NOTE: If you are running Windows NT2000XP, it is copied to the WinntSystem folder.

Next, the worm adds one of the following values:

SystemInfo C:Windows System<Random 8-character name>.exe
SystemInfoM    C:Windows System<Random 8-character name>.exe

to the registry key

HKEY_LOCAL_MACHINE\SoftwareMicrosoftWindowsCurrentVersionRun

so that the worm is executed each time that you start Windows.

It then modifies .html, .htm, and .asp files that it finds in the C:inetpubwwwroot folder. (This folder is usually found only on Web servers.) The modified files contain the following text:

MatriX is out there
MatriX has You...
MatriX is All around You
010011010110000101110100011100100110100101011000

in a green font on a black background.

The worm then accesses all available network drives and places a copy of itself in the WindowsSystem folder on all computers that it can connect to. It also tries to email itself to all contacts in the Microsoft Outlook address book. The email message has the following characteristics:

Subject: FW:Shake a little

Message:
Hi !
This will shake your world :-)
Regards,

Attachment: Shake.exe

Finally, it may delete some executable (.exe) files from various folders, and replace them with copies of itself. These replaced executable files might have different icons than they did before being replaced. The worm does this by searching for .exe files and looking for icon code (inside the resource section of a .exe file) that meets its needs. It then copies that executable as T_672b.ttm in the WindowsSystem folder. This is a temporary file that the worm uses to copy the icon code to the replaced executable file. Under some conditions, the worm creates empty folders named MatriX<random numbers> (for example, MatriX875460101 or MatriX20234005). It places these folders in the following locations:

• C:
• WindowsSystem

Under some conditions, the worm attempts to shut down the system using the InitiateSystemShutdown API function.

Remote modification of registry
The worm also has the abilty to remotely modify the registry on the system it is trying to infect. Microsoft has published information that explains how to disable this capability on Windows NT and 2000 systems. This information can be found at:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q153183

For Windows 95/98/Me systems this capability exists only if the "Microsoft Remote Registry service" has been installed. The ability to modify the registry remotely does not exist on these systems by default.

For Windows XP Professional, this capability does not exist if the computer is joined to a workgroup and the "Force network logons using local accounts to authenticate as Guest" policy is enabled. Note that this policy is enabled by default for a computer running Windows XP Professional that is joined to a workgroup.

For Windows XP Home Edition, this capability does not exist.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this worm, delete files that are detected as W32.Shatrix@mm, remove the value that the worm added to the registry, delete the file T_672b.ttm, and delete the MatriX<random numbers> folder, if it is found.

To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. If any files are detected as W32.Shatrix@mm, first write down the file name and then delete the file.
   
   NOTE: Because the infected .exe files have been replaced by the worm, you must either restore them from a clean backup or reinstall the software that contains them. For example, if Notepad.exe, which is a Windows file, is detected as W32.Shatrix@mm, it has been replaced by the worm and must be restored or reinstalled. If the file name is, for example, Hejtghu.exe, that is not a normal file name and it only needs to be deleted.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\SoftwareMicrosoftWindowsCurrentVersionRun
   
4. In the right pane, delete any of the following values that exist:
   
   SystemInfo C:Windows System<Random 8-character name>.exe
   SystemInfoM    C:Windows System<Random 8-character name>.exe
   
5. Click Registry, and then click Exit.

To remove the .ttm file:
Using Windows Explorer, delete the T_672b.ttm file from the WindowsSystem folder.

To remove the MatriX<random numbers> folders:
Using Windows Explorer, locate and delete the folders named MatriX<random numbers> from the following locations:

• C:
• WindowsSystem