>Hi all
>
>We’ve recently been exposed to the “Matrix2” virus, which we received via an email from a colleague in our office. This virus arrives in the form of an email – usually from someone you know – containing an attachment with a .SCR file extension – but with no heading.
>
>Some of the attachments are seemingly harmless – but if you open them, the virus will infect squillions of EXE and DLL files on your system. It’s a real problem because only the most recent virus patterns will detect the infection – and by the time you’ve detected it – it’s too late. This virus will then:
>
>1. Start sending e-mails to everyone you send e-mails to with a .SCR attachment (not necessarily the same attachment – there are several different file attachments) - AND you don’t actually know you’re sending these e-mails, as they don’t appear in either your outbox or sent items.
>2. Bar you from accessing the SYMANTEC web site (plus others) to download the latest virus pattern
>3. Somtimes run an auto-dial programme on boot up to try to access a remote site somewhere - presumably to do more damage to your system
>
>The only way I could get rid of the virus was to download a demo version of LEPRECAUN from their web site
www.leprecaun.com.au (the virus doesn’t seem to know this is a virus-busting site) and run the DOS version of their virus removal system. It appears that windows verions of most virus busting software can’t remove the virus as it keeps replicating itself everytime you try and delete it.
>
>You can check to see if you’ve got this problem simply by going to SYMANTEC.COM and see if you can actually access the site. If you’ve got the virus, I’ve found that the quickest way to remove it is to
>
>1. Obtain a trial version of Leprecaun and install this.
>2. Restart your system to the command prompt only.
>3. Change to the leprecaun directory usually C:\PROGRA~1\LEPREC~1\VIRUSB~1
>4. Run their DOS based programme called SYSCLEAN by typing SYSCLEAN /ALL at the command prompt
>
>Unfortunately, I’ve found that you still can’t access the SYMANTEC web site, and IE still comes up with a General Protection error every time I try – even after cleaning the virus. After doing some more research, it was suggested we also re-install wsock32.dll, explorer.exe and rundll32.exe – we did this, but still can’t get into the SYMANTEC web site. The virus is now gone, and this appears to be the only legacy of a nasty experience.
>
>I found the web site
www.zdnet.com very helpful reading as it also suggested more things to try – if you want more information on this virus you can go to:
>
>
http://www.zdnet.com/zdhelp/stories/main/0,5594,2644979,00.htmlMcAfee/NAI VirusScan can also deal with identifying the virus, and in cleaning most but not all infections related to it; my own experience has been that booting into Safe mode and replacing with WSOCK32.DLL with a clean one was always necessary, and in most cases, reinstalling the original OS, electing to replace all newer files, rebooting into Safe mode and then running a scan was needed to be 100% clean of the problem.
OBTW, if you're using a dedicated server and there are executables there that the user has read/write privileges to, these files may become infected and reinfect cleaned systems during login script processing...
>
>Regards
>
>
>
>Chris Kable
>FUELtrac
