Principios Generales de la Evaluación Santos, (2010) en el texto: “La Evaluación Como Aprendizaje: Una Flecha en la Diana”, señala doce principios

It installs an application called JohnTheRipper, a password cracker that uses a dictionary method to crack passwords.

It installsdsniffto sniff for passwords.

Even those unfamiliar with the terms and details above may agree that this much activity is frightening.

In early November 2004, a week after the discovery of opener, Apple, the maker of the Macintosh and of its operating system, released the following statement:

“Opener is not a virus, Trojan horse, or worm. It does not propagate itself across a network, through email, or over the Web. Opener can only be installed by someone who already has access to your system and provides proper administrator authentication. Apple advises users to only install software from vendors and Web sites that they know and trust.”

In response, antivirus experts said that while opener was not an immediate threat, it is a worm because it attempts to copy itself, and is therefore a virus as well, because worms are a special type of virus.

5.12 MTX Worm/Virus

The MTX malware (formal designation W95.MTXor W32/Apology) is a combination of three nasty parts, a virus, a worm, and a Trojan horse (the latter provides a back- door that downloads certain pieces of code and installs them). It first appeared in August/September 2000 and was designed to attack computers running the Windows 95 operating system. The name MTX stands for “matrix” because this word was found inside the virus part of MTX. It propagates by email and infects certain executable files in specific directories. The virus also tries to block access to certain Web sites and block email access to other sites in an attempt to prevent the user from locating information and downloading new virus definitions.

MTX is well known for the “trouble” it takes to prevent the user from getting help. It actually modifies an operating system file to make it impossible for the user to visit certain Web sites and to send email to others. More information about this menace is available at [MTX 05].

When MTX invades a computer, it decompresses itself, installs the worm and backdoor parts in the computer, then infects many files. The virus part infects a file by installing itself close to the start of the file but not at the very start. This technique, which makes it difficult for anti-virus software to locate MTX, is referred to as entry point obscuring or EPO.

The worm part of MTX prepares a copy of library file Wsock32.dll and names it Wsock32.mtx. The “send export” function of the copy is then modified to point to its own code. The effect of this is to send MTX, as an attachment, to a special email message that is sent, without the user’s knowledge, after each legitimate message.

The MTX attachment may have one of many potentially misleading names, some of which are listed below. Many of these have a.pifextension, which stands for program information files. Such files are used by Windows to execute old DOS programs, but the

attachments always include executable code of type .exe, so when the receiver clicks on an attachment, it is executed by Windows and MTX infects the receiving computer. I_wanna_see_you.txt.pif Matrix_screen_saver.scr Love_letter_for_you.txt.pif New_playboy_screen_saver.scr Bill_gates_piece.jpg.pif Names of attachments.

To entice the receiver to click on the attachment, it often has two extensions, the first of which is.jpg, suggesting an image. However, the second extension is often.pif. The worm also prepares an auxiliary file namedWininit.inithat’s executed when the computer is restarted and whose function is to delete Wsock32.dll and rename Wsock32.mtx Wsock32.dll. After creatingWininit.ini, the worm executes the virus part of MTX.

The virus part looks for specific antivirus programs. If the virus finds any of them executing, it does nothing. Otherwise, it decompresses the worm part, places a copy of it, named Ie_pack.exe, in the user’s Windows directory (typically C:\Windows), and executes it. AfterIe_pack.exe is executed, it is renamedWin32.dll.

The virus also creates the Trojan backdoor as executable fileMtx_.Exeand executes it. This is a downloader program that goes to Web sitei.am/[MATRIX]where plug-ins for the virus are downloaded and executed. The virus part then searches for Windows executable files in the current directory, in the Windows directory, and in the Temp directory. Files that satisfy the following conditions are infected: (1) File size that is not divisible by 101, (2) file size is greater than 8 Kbyte, and (3) file has at least 20 import call instructions.

The virus also adds a registry entry that executes the Mtx_.Exe downloader au- tomatically every time Windows is started. The downloader is invisible in the Task List.

MTX spreads by modifying file WSOCK32.DLL. This file controls the connection of the computer to the Internet, and MTX modifies it such that it sends a copy of the worm, as an attachment, in a second message that follows (unknown to the sender) each email message. The modification also prevents the computer user from visiting certain Web sites that belong to anti-virus software makers and information providers. These are sites whose URLs contain the 4-character strings nii., nai., avp., f-se, mapl, pand, soph,ndmi,afee,yenn,lywa,tbav, andyman.

In addition, this modification prevents the user from sending email to the fol- lowing URLs wildlist.o*, il.esafe.c*, perfectsup*, complex.is*, HiServ.com*, hiserv.com*, metro.ch*, beyond.com*, mcafee.com*, pandasoftw*, earthlink.*, inexar.com*,comkom.co.*,meditrade.*,mabex.com,*,cellco.com*,symantec.c*, successful*,inforamp.n*,newell.com*,singnet.co*,bmcd.com.a*,bca.com.nz*, trendmicro*, sophos.com*,maple.com.*,netsales.n*, andf-secure.c*.

These techniques make it difficult for the victim to receive information, ask for help, or download anti-virus software and instructions, thereby turning this malware into a persistent infection that requires much time and effort to get rid of.

5.12 MTX Worm/Virus 137