MTX virus gains speed in unusual ways

The three-month-old MTX virus appears to be gaining speed, with several anti-virus vendors escalating the pesky bug to a medium-level threat in recent weeks.

The increased worries stem from a particularly harmful feature in which the virus blocks users from anti-virus Websites, stopping them from downloading virus protection updates and from issuing warnings.

Michael Callahan, director of product marketing at McAfee, a division of Network Associates Inc., said MTX first appeared in late August, originating in Germany. At the time of its discovery, McAfee’s AVERT (Anti-Virus Emergency Response Team) labeled the virus a low threat, but McAfee upgraded it to the medium level after about 32 users reported an MTX attack.

“We made it a medium threat about two to three weeks ago as we see the number of samples increasing,” Callahan said. “Mostly we see corporate users being hit.”

The virus proves troublesome by changing its subject header and attachment file names and by blocking users from anti-virus vendors’ Web sites. MTX spreads through a user’s Microsoft Outlook applications with varying attachment names, such as Bill_Gates_piece.jpg.pif, I_am_Sorry.doc.pif, Internet_Security_Forum.doc.pif and New_Playboy_Screen_Saver.scr. When a user clicks on one of these attached files, the virus begins spreading its evil ways.

Besides coming up with catchy attachment names, the author of MTX made sure that many of the best-known anti-virus vendors’ Web sites became inaccessible to users once they launched the devious files. Inc., Symantec Corp., and Sophos PLC all had parts of their sites blocked from users along with a number of other vendors. For Network Associates’ McAfee division, however, users could still access the AVERT labs website and McAfee’s corporate virus protection site.

McAfee will continue to monitor the virus but does not see it as a major threat just yet.

“If people don’t have up-to-date DAT protection as it starts to spread, it could spread a little bit faster,” Callahan said. “But people are paying more attention to keeping DAT files up to date these days.”

More information about the virus is available on AVERT’s Web site at Network Associates, in Santa Clara, Calif., can be reached at