A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
Also see: Hoax Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center
|
Magistr
Type: Portable executable virus and mass-mailing email worm
According to F-Secure, Magistr has the following characteristics:
Description:
Magistr is a very dangerous memory resident Win32 worm combined with virus infection routines. It was found in-the-wild in the middle of March 2001. Magistr virus spreads via Internet with infected emails, infects Windows executable files on an affected machine (local machine) and is able to spread itself over a local network (LAN).
The virus has an extremely dangerous payload, and depending on different conditions it erases hard drive data, CMOS memory and Flash Bios contents in the same way the Win95.CIH (aka Chernobyl) virus does.
The virus itself is about 30Kb long program written in Assembler, and that is very large for a virus written in pure Assembler language. This large size however is caused by virus Win32 EXE files infection algorithm, email and network spreading routines, polymorphic engines (there are two ones), payload routines and many anti-debugging and other tricks used by the virus to make its detection and disinfection more difficult. Thus this virus is one of the most complex viruses that are known at the moment.
When the virus is run (from infected message for example, if a user clicks on an infected attachment) it installs itself memory resident to Windows memory, then runs in background, sleeps for a few minutes and run its routines: local and network Win32 EXE files infection, email spreading, e.t.c.
To install itself to memory the virus gets access to EXPLORER.EXE process memory (EXPLORER.EXE program image that is actually run and active in Win32 memory), patches it with a short 110-bytes "loader" routine that will then run main virus code in EXPLORER's memory. So the virus installs itself memory resident as a component of EXPLORER.EXE process and then operates in the background (being run as EXPLORER's thread). Before run its routines the virus sleeps for 3 minutes.
The virus then gets a file (usually the first file) in Windows directory, infects it and registers that file in Windows auto-run Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and in WIN.INI file in [windows] section in "run=" instruction. So the virus code is activated on each Windows restart.
That file is infected so that the host program is not activated after virus runs (control is not returned back to host program, and an affected application just exits). Thus the virus activates itself from system Registry or from WIN.INI file without any side effect.
The virus then runs its infection routines that scan directories and available drives for Win32 PE .EXE and .SCR files and infect them. First of all the virus tries WINNT, WINDOWS, WIN95 and WIN98 directories and infects files in there. That routine is randomly activated in 3 times of 4. Next the virus scans all local drives and infects files on them.
After that the virus enumerates network resources that are shared for full access, looks for WINNT, WINDOWS, WIN95, WIN98 directories in there, and infects files in these directories. The virus also registers itself in there by writing "run=" instruction to WIN.INI file. So remote Win9x systems will get infection on next Windows startup.
While processing the drives the virus creates a special .DAT file for its own use. The file name and location depends on the network name of current machine, for example:
Machine name File name
WIN98 -> CQL98.DAT
PUPKIN -> JEJOQL.DAT
CS-GOAT -> WG-SKYF.DAT
That file is created in Windows directory, or in 'Program Files' directory, or in root directory of C: drive, or in root directory of system drive.
The virus affects PE EXE files (Win32 executables) in a complex and difficult-to-disinfect way. The virus encrypts its main code with polymorphic engine and writes itself to the end of the file. To get control on an infected file's start the virus patches the entry code with one more polymorphic routine that passes control to the end of the file to main encrypted virus code.
To send infected emails the virus reads the settings of installed Email client settings from system registry. It gets info on the following clients: Outlook Express, Netscape Messenger, and Internet Mail and News
The virus then scans email database files of the found e-mail clients, gets email addresses from there and sends its copies to the found addresses. The infected messages may have no body (no text in a message), or a randomly constructed text. The same applies to the Subject. The attached file name is variable, it can have EXE or SCR extension. The virus looks in the system for a PE EXE file up to 132K of length, infects it and attaches to the message.
The Subject and Body are randomly constructed from words and sentences that are found in .DOC and .TXT files in the system (the virus also scans local drives for these files and get texts from there). Randomly as well the virus uses words and sentences from the following list:
sentences you ayant délibéré
sentences him to le présent arrêt
sentence you to vu l',27h,'arrêt
ordered to prison conformément à la loi
convict exécution provisoire
, judge rdonn
circuit judge audience publique
trial judge a fait constater
found guilty cadre de la procédure
find him guilty magistrad
affirmed apelante
judgment of conviction recurso de apelaci
verdict pena de arresto
guilty plea y condeno
trial court mando y firmo
trial chamber calidad de denunciante
sufficiency of proof costas procesales
sufficiency of the evidence diligencias previas
proceedings antecedentes de hecho
against the accused hechos probados
habeas corpus sentencia
jugement comparecer
condamn juzgando
trouvons coupable dictando la presente
à rembourse los autos
sous astreinte en autos
aux entiers dépens denuncia presentada
aux dépens
While sending infected messages the virus connects to one of three email servers using SMTP protocol, and send messages to there. The virus also randomly (in 4 cases of 5 corrupts) second letter in a sender name.
The virus stores in its body ten email addresses of already infected users (like a history of spreading - 10 latest email addresses the virus was spreading from). While spreading the virus compares a victim email address with that list, and does not send messages to addresses that are already infected.
Depending on its internal counters the virus manifests itself: it gets access to Windows desktop and does not allow to access icons on the desktop by mouse. When mouse cursor is moved to an icon, the virus moves the icon out of the cursor. It looks like desktop icons try to "escape" mouse cursor. The similar effect was first introduced by Joke.Win.Stupid joke program, but there was a button 'running away' from mouse cursor, not an icon.
In one month after infecting the computer the virus runs its payload routine that overwrites all disk files with text "YOUARESHIT" on all local and network drives. Under Win9x the virus also erases CMOS, Flash Bios and hard drive data.
The virus then displays the message:
Aliases: Disemboweler, W32/Magistr@mm, Troj_Magistr, I-Worm.Magistr
Systems Affected: Windows systems.
Payload: Overwrites all disk files with text "on all local and network drives (delayed). Erases content of system BIOS (CMOS) and destroys hard drive sectors on Windows 9x computers
ITW: Yes
Origin:
Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SH*T
