Worm component

Worm component
The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then
modified to point to its own code.
This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email
(using the same program).

Here are a list of file names that this virus might use when it sends the infected worm to other people. For those files with
.pif extensions, the .pif extension might not be visible in your mail program.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll.
Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

Virus component
The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run.
If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory
(typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe.
After Ie_pack.exe is executed, it is renamed to Win32.dll.

The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where
plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory,
and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8K in size, and
has at least 20 import call instructions. If not, the file is not infected by the virus.

The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is
invisible in the Task List.