/0104/ 2001/03/17(Sat) 17:05:54 <<Zurueck | Vor>> [Übersicht über alle Nachrichten]
W32/Magistr@MM Medium Geschrieben von:Dorschdl <http://www.nai.com> 

! Hoch gefährlich...dieser Virus kann durch bestimmte Einstellungen im Bios (falsche Cylinder und Sektor Angaben) sogar defekte Sektoren auf der Festplatte erstellen !!!

W32/Magistr@MM  Medium  
 
Virus Information  
Discovery Date:  03/12/2001  
Origin:  Europe  
Length:  Varies, adds at least 24 Kb  
Type:  Virus  
SubType:  worm  
Minimum Dat:  4128  
Minimum Engine:  4.1.00  
DAT Release Date:  03/14/2001  
Description Added:  03/13/2001  
 


Virus Characteristics  
W32/Magistr@MM is a combination of a files infector virus and e-
mail worm.

-The viral code infects 32 bit PE type files (.exe) files in the 
WINDOWS directory and subdirectories.

-The worm part is using mass mailing techniques to send itself 
to email addresses stored in several places. The worm installs 
itself to run at each system startup. 

Five minutes after the virus is run, it attempts a mailing 
routine. Email addresses are gathered from the Windows Address 
Book, Outlook Express mailboxes, and Netscape mailboxes (address 
found in the email messages within existing mailboxes are 
gathered), and these file locations and addresses are saved to a 
hidden .DAT file somewhere on the hard disk (varies). The 
messages sent by the worm contain varying subject headings, body 
text, and attachments. The body of the message is derived from 
the contents of other files on the victim's computer. It may 
send more than one attachment and may include non .EXE or non-
viral files along with an infectious .EXE file. 


The virus proceeds by infecting 32 bit PE (Portable Executable) 
type .EXE files found in the WINDOWS SYSTEM directory and 
subdirectories. The viral code is encrypted, polymorphic, and 
uses anti-debugging techniques to make it difficult detected. 
Email addresses have been seen encrypted in infected files. 
These addresses are believed to represent other users that have 
also been infected from the same point of origin. 


In the decrypted body of the virus code, the following comments exist: 

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. 
by: The Judges Disemboweler. 
written in Malmo (Sweden) 

W32/Magistr@MM has a payload routine that on some systems may 
result in cmos/bios info being erased as well as destroying 
sectors on the hard disk.  !!!!!!!!!!!
 
Symptoms  
- Increase in size in .EXE files (adds 24Kb or more)
- Infected files use a modified access date of the time of the infection
- Presence of a newly created .DAT file containing email addresses (representing those users which were sent the virus)
-Entry in WIN.INI RUN=(App) 
-Entry in Registry, run key value:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies) 
 
 


Method Of Infection  
This worm which arrives as an .EXE file with varying filenames. Executing this attachment infects your machine which is used to propagate the virus. 
When first ran, the virus may copy one .EXE file in the WINDOWS or WINDOWS SYSTEM directory using the same name with an altered last character. 

For example, CFGWIZ32.EXE becomes CFGWIZ31.EXE, PSTORES.EXE becomes PSTORER.EXE, etc. 
(this naming convention seems to be consistent where the last character of the filename is decreased by a factor of 1) 

This copy is then infected and a WIN.INI entry, or a registry run key value may be created, to execute this infected file upon system startup: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CFGWIZ31=C:\WINDOWS\SYSTEM\CFGWZ31.EXE 

This copied executable infects other PE .EXE files in the SYSTEM directory and subdirectories, when run. 

This virus will create a .DAT file on the local file system which contains strings of the files used to grab email address from (.dbx, .mbx, .wab), and also strings of email addresses which will be used as a target list. The .DAT file will be named after the machine name, but in an offset method. For instance, here is a corresponding list of letter equivalents used: 


original letter           corresponds to
     a             ->           y
     b             ->           x
     c             ->           w
     d             ->           v
     e             ->           u
     f             ->           t
     g             ->           s
     h             ->           r
     i             ->           q
     j             ->           p
     k             ->           o
     l             ->           n
     m             ->           m
     n             ->           l
     o             ->           k
     p             ->           j
     q             ->           i
     r             ->           h
     s             ->           g
     t             ->           f
     u             ->           e
     v             ->           d
     w             ->           c
     x             ->           b
     y             ->           a
     z             ->           z

Numbers are not affected. So a machine name of ABC-123 would have a .DAT file on the local system named YXW-123.DAT. 
 
 


Removal Instructions  
Use specified engine and DAT files for detection and removal.  
 


Variants  
Name  Type  Sub Type  Differences  
no known variants 
 


Aliases  
Name  
I-Worm.Magistr (CA)  
Magistr (F-Secure)  
PE_MAGISTR.A (Trend)  
W32.Magistr.24876@mm (Symantec)  
W32/Disemboweler (Panda)  
W32/Magistr-a (Sophos)
Refer this message Not refer
Follow Up: