Related Resources • Glossary of Terms • Full Description

Elsewhere on the Web • Threat List   • F-Secure's Description   • Security Portal

First discovered infecting computers in mid-March 2001, the Magistr virus is considered a high risk threat. Cunningly, the virus sits on the infected user's system for a pre-determined period of time before unleashing its wrath which ranges from corrupting data to erasing critical information found in the system BIOS and overwriting sectors on the hard drive. Compounding the risk, on September 3, 2001 a new variant was discovered that was impervious to signature-based scanners. Reportedly, the new variant is an "improved" version of the original Magistr, making the rendering of its malicious payload far more likely.

New variants of Magistr are particularly threatening. Because Magistr sends itself with random filenames, random subject lines, and random message bodies, traditional filtering mechanisms (i.e. lexical analysis or filtering on keywords) will not work. In such a case filtering of all executables remains the most viable defense against this type of email-borne threat.

Specifically, Magistr is a mass-mailing email worm arriving as an .EXE attachment. The filename itself varies, and it may include one or more files that are not part of the infection but rather were lifted from the infected user's machine. If the .EXE file is run, the virus will copy itself to the Windows\System directory, infect Windows 32-bit portable executable files on the system, and will also register itself to run each time the system is rebooted. To do so, Magistr modifies the regisry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\filename

The filename designated will be whatever the virus was received as with the last digit decreased by a factor of 1. Thus, if the infected executable is received as ABCDEFG.EXE the name saved in the Windows\System directory and targeted in the registry becomes ABCDEFF.EXE.

The worm could also install itself via the WIN.INI file's LOAD= line, in which case the pointer would again be to the copy of itself in the Windows\System directory.

In any event, five minutes after the virus was initially run, it begins a mass-mailing routine based on addresses found in Outlook, Outlook Express, and even Netscape Mail. The body and subject line of the email appear to be derived from files or emails on the infected user's system. This could either cause the email message carrying the virus to appear filled with gibberish, or conversely, the chosen text could lend an air of legitimacy.

Describing it as an "anti-emulation, polymorphic with advanced infection algorithms® Patrick Nolan, virus researcher for McAfee AVERT says this newest threat, "sets up tricks to make it harder for virus researchers to debug it." Not being able to predict, with 100% accuracy, what Magistr will do next, makes detecting it all the more harder.