W32/Magistr.b@MM
Virus Name: W32/Magistr.b@MM
Risk: Medium - probable upgrade soon -- (Note: It has a very destructive payload)
Date Discovered: 9/3/01
Type/length: Virus/File infector / length n/a
Aliases: I-Worm.Magistr.b (AVP) , PE_MAGISTR.B (Trend), W32.Magistr.39921@mm
(NAV), Win32.Magistr.B (CA)
NOTE: At present, this virus is presently only active in Europe - However, it is expected
to arrive in the America's at any time.
Virus Characteristics:
Magistr.B, a variant of the original Magista A virus, arrives in an e-mail and can carry
multiple message attachments. The virus itself may be contained in a file called readme.exe,
and the user must open the file for the virus to execute. In addition to destroying files,
Magistr.B also overwrites win.com and NETLDR, the operating-system loaders for
Windows, and destroys any file with a .ntz extension, which are files used by Anti Virus
software. The new virus also disables any active copies of Zone Labs Inc.'s ZoneAlarm
personal firewall that it finds. The virus spreads via e-mail and generates random subject
lines of up to 60 characters. Unlike many other mass-mailing viruses, Magistr.B can pull
addresses from the files of several e-mail clients, including Outlook, Outlook Express,
Eudora, Netscape Messenger and some Web-based mail clients.
It may come from an address which you recognize, including friends and associates etc.
The email message can appear as follows:
Subject: Body: and Attachment:
The messages sent by the worm contain varying subject headings, body text, and
attachments. The body of the message is derived from the contents of other files on the
victim's computer. It may send more than one attachment and may include non-EXE or
non-viral files along with an infectious .EXE file.
The multiple attachments often include .gif files, and may include a Readme.exe.
There are indications that instead of a readme file, random names may be used
This is the file with the virus - Note: It will always be an .exe file
When run, the attachment causes the worm to copy itself to the Windows or windows System
Directory, using a file name which is a one character variation of the infected file's original
name. It then resends the payload to email addresses gathered from the Windows Address
Book, Outlook Express mailboxes, Netscape mailboxes, and Eudora mailboxes. These
addresses are saved to a hidden .DAT file somewhere on the hard disk. It may
also attach .GIF files found on the hard drive to the emails it sends out.
The virus proceeds by infecting 32-bit PE (Portable Executable) type .EXE files found in
he WINDOWS SYSTEM directory and subdirectories. The viral code is encrypted,
polymorphic, and uses anti-debugging techniques to make it difficult to detect.
W32/Magistr@MM has a payload routine that may also cause the following:
Erasure of CMOS/BIOS info
Destruction of sectors on the hard disk
Deletion of all .NTZ files on the machine
Termination of Zone Alarm firewall program
Creation of a SYSTEM.INI [boot] shell value to run itself at startup
Overwrites the WIN.COM/NTLDR Indications Of Infection:
Icons on the desktop move when the mouse cursor passes over them
Increase in size in .EXE files (adds 24Kb or more)
Infected files use a modified access date of the time of the infection
Presence of a newly created .DAT file containing email addresses (representing those
users which were sent the virus)
Entry in WIN.INI RUN=(App)
Entry in Registry, run key value:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies