1.0 DESCRIPTION

1.1 Overview

MyCERT has received reports of the spreading of a new malicious program called MAT_IT.EXE. This program is a combination of a mIRC worm and a trojan all at the same time. The worm infects Windows platform and is able to propagate via IRC channel within which the infected person joins. It has a destructive payload of deleting entire files on the C:\ drive as well as any root drives available.

1.2 Limitation

1. It infects machine running Windows platforms.
   
   
2. Infection will only occur once the infected document MAT_IT.EXE is executed.

2.0 TECHNICAL MATTERS

2.1 Installation and Functionality

1. Upon execution, a window will pop-up followed by a message box as below:
   
   
   

   There has also been a report on a second variant of this trojan that gives out messages as below. However, from all the samples received, we cannot verify the possibility.

   "MAT IT STRIKES BACK" and then a few second later a second box will appear with a message "SITI, I LOVE YOU" with an OK button.

2. As soon as the OK button is clicked, all the files listed below will be deleted. The deletion includes all the files and subdirectories on the directory where the worm is executed.

   command.com
   netlog.txt
   autoexec.syd
   autoexec.bat
   config.sys
   setupxlg.txt
   scandisk.log
   

3. It will drop a copy of itself on all root directory (C:\ to Z:\) as MAT_IT.EXE and the directory "C:\windows\system" as USER286.EXE. It can also copy itself as ADIL3.EXE.

4. Then it will edit the registry by inserting a value "c:\windows\system\user286.exe" under:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   
   and
   
   HKEY_USER\Default\Software\Microsoft\Windows\CurrentVersion\Run

   This will ensure that the worm is executed everytime the system reboots.

2.2 Payload

1. After infection, the worm looks for SCRIPT.INI in C:\Mirc directory and if it is found, replaces with it's own script. This will autosend the worm to all users on the IRC channel in which the infected person joins. However, due to some bugs, this part does not always work.

2. At the next boot up, it will delete all the files and subdirectory that can be deleted on the c:\windows\system directory where the file USER286.EXE is dropped.

3. The trojan is fairly destructive as it will try to delete the whole drive C:\ drive.

3.0 POSSIBLE STEPS

3.1 Prevention and Detection

1. Since this is a new type of trojan, antivirus software might not be able to detect it even with newly installed virus updates. However, do remember that infection of this trojan can only occur once the infected file is executed. Thus, users are reminded to delete any UNexpected attachment or files received via email or IRC whether they are from a known or unknown source.

2. As a precaution, update the virus definition file of your antivirus software regularly so that the presence of a new virus can be detected before any infections can occur. The list of known anti-virus vendors are as listed in MyCERT's website (http://mycert.mimos.my/anti-virus.htm).

3. Run a virus scan on all downloadable files and software application before installing or executing them.

4. Configure your antivirus software so that it will do an automatic scan on all email attachments and downloadable files before being executed.

3.2 Manual Removal

1. Delete the value "c:\windows\system\user286.exe" under the registry stated in Section 2.1 #4.

2. Reboot to DOS mode and delete USER286.EXE, ADIL3.EXE and MAT_IT.EXE from your hardisk.

4.0 REFERENCE

We would like to thank Trend Micro and F-Secure Corporation for their analysis in obtaining the information above.