VIRUS ALERT No.57 -- Thursday, March 15, 2001
Magistr Combines the Speed of "Love" with "Chernobyl's" Fallout
Computer users are warned about the discovery of a new extremely dangerous computer virus "Magistr," which spreads via e-mail and local area networks, and uses a set of nifty techniques to hide its presence in infected computers that makes it very difficult to detect and disinfect. According to the comments found in the virus body, it was written in Malmo, Sweden by a hacker going by the pseudonym of "The Judges Disemboweler."
Kaspersky Lab has already received several reports about the worm "in-the-wild."
"Magistr" can enter a computer three ways: firstly, via e-mail messages when a user has accidentally launched the infected attached file; secondly, using the local area network (LAN) by infecting files found on available servers’ and workstations’ shared resources; thirdly, when an infected file has been delivered to a system by any removable storage media or downloaded from the Internet or other networks.
Right after the infected file is executed, the virus initiates the procedure of penetration into the system, mass e-mail distribution and, after some time, it activates the built-in destructive payload.
To complete the mass e-mail distribution, "Magistr" scans the Outlook Express, Internet Mail and Netscape Messenger mail databases and Windows address book, and reads all e-mail addresses. Details about the mail databases location and their names are stored in a special file having the DAT extension. The name of the file is derived by encrypting the original computer's name. For instance, if a computer has a name CS-GOAT, then the file will be named WG-SKYF.DAT. Depending on the first character of the filename, the virus copies this file in the C: drive root directory or the "Windows" or "Program Files" directory.
After this, "Magistr" invisibly retrieves the SMTP server that is connected to the infected computer, and, on behalf of the user, sends out e-mail messages through the server containing random PE EXE or SCR files less than 132Kb in size that are already infected with the virus. The subjects of the messages are randomly selected from DOC and TXT files found on the computer or from the list of some English, Spanish and French phrases planted in the virus body. The body of the messages contains no text. Such inconstancy of outward appearance of the distributed e-mails significantly complicates the identification of infected e-mails by users themselves.
It is important to note that when sending out infected e-mails, "Magistr" randomly changes the sender's return address by deleting or changing some characters. This fact also helps the virus hide its activity, since the recipient cannot answer the message because of an incorrect return address. Thus, the sender is not able to ascertain that the virus is sending out unauthorized messages from his or her computer.
Right after the virus code is executed, "Magistr" infects all PE EXE and SCR files found in "Windows," "WinNT," "Win95" and "Win98" catalogues of all local and network drives connected to this particular computer. After this, the virus scans all available network resources, looks for the aforementioned catalogues, and infects PE EXE and SCR files there. When infecting the files, "Magistr" uses several very sophisticated techniques that significantly complicate its detection and removal. The virus is divided into three parts with two of them encrypted with a strong polymorphic algorithm.
Therefore, after the infected file is run, the virus immediately intercepts its execution in the program's entry point, and redirects the program's processor to the main virus code. Only after the main virus code has been completed does the virus return control to the original program.
In order to secure its constant presence in the infected systems, "Magistr" modifies the WIN.INI configuration file and Windows system registry in a way that the virus is activated each time the system boots up. When infecting network resources, the virus modifies the WIN.INI file only.
"Magistr" carries a very dangerous destructive payload. One month after the day of the first infection, the virus destroys all files on local and network drives on computers running Windows NT/2000 by replacing their original contents with the string "YOUARESHIT". Under Windows 95/98, the virus additionally discards the CMOS memory settings (CMOS contains the computer boot up hardware settings) and, just like the "Chernobyl" (CIH) virus, destroys data in FLASH BIOS microchip. After this, it displays the following message box:
Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT
Depending on the internal triggers, the virus also executes yet another payload subroutine that invokes the "runaway icons" effect: if a user tries to point the cursor to a desktop icon, the icon immediately changes its location so the user cannot start the correspondent application.
Considering the dangers and breath-taking spreading speed of the
"Magistr" virus, it is HIGHLY recommended to update YOUR anti-virus database as soon as possible.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5)THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
150301/140802/110904/071004
