Virus Profile: W32/Magistr.a@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Medium | Corporate Medium
Date Discovered: 3/12/2001
Date Added: 3/13/2001
Origin: Europe
Length: Varies, adds at least 24 Kb
Type: Virus
Subtype: Worm
DAT Required: 4128
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Icons on the desktop move when the mouse cursor passes over them.
- Increase in size of .EXE files (adds 24Kb or more).
- Infected files use a modified access date of the time of the infection.
- Presence of a newly created .DAT file containing email addresses (representing those users which were sent the virus).
-Entry in WIN.INI RUN=(App).
-Entry in Registry, run key value:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies).

Methods of Infection

This worm arrives as an .EXE file with varying filenames. Executing this attachment infects your machine which is used to propagate the virus.

When first run, the virus may copy one .EXE file in the WINDOWS or WINDOWS SYSTEM directory using the same name with an altered last character.

For example, CFGWIZ32.EXE becomes CFGWIZ31.EXE, PSTORES.EXE becomes PSTORER.EXE, etc (this naming convention seems to be consistent where the last character of the filename is decreased by a factor of 1) .

This copy is then infected and a WIN.INI entry, or a registry run key value may be created, to execute this infected file upon system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CFGWIZ31=C:\WINDOWS\SYSTEM\CFGWZ31.EXE

This copied executable infects other PE .EXE files in the SYSTEM directory and subdirectories, when run. It also infects over open network shares.

This virus will create a .DAT file on the local file system which contains strings of the files used to grab email address from (.dbx, .mbx, .wab), and also strings of email addresses which will be used as a target list. The .DAT file will be named after the machine name, but in an offset method. For instance, here is a corresponding list of letter equivalents used:

original letter corresponds to a -> y b -> x c -> w d -> v e -> u f -> t g -> s h -> r i -> q j -> p k -> o l -> n m -> m n -> l o -> k p -> j q -> i r -> h s -> g t -> f u -> e v -> d w -> c x -> b y -> a z -> z

Numbers are not affected. So a machine name of ABC-123 would have a .DAT file on the local system named YXW-123.DAT.

An additional item of note is that this worm often alters the REPLY-TO email address when mailing itself to others. In a similar fashion to the other name changes made by this virus, one letter of the address is incremented or decremented. Thus when attempting to contact the infected user to alert them, the message is often returned do to this address modification.

Aliases

I-Worm.Magistr (AVP) , Magistr (F-Secure), PE_MAGISTR.A (Trend), W32.Magistr.24876@mm (Symantec) , W32/Disemboweler (Panda), W32/Magistr-a (Sophos), W32/Magistr.a.dam1, W32/Magistr.dam, W32/Magistr.dam2, W32/Magistr@MM
   

Virus Characteristics

W32/Magistr@MM is a combination of a files infector virus and e-mail worm.
- The viral code infects 32 bit PE type files (.exe) in the WINDOWS directory and subdirectories.
- It uses mass mailing techniques to send itself to email addresses stored in several places.
- It installs itself to run at each system startup.

Five minutes after the virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes (addresses found in email messages within existing mailboxes are gathered), and these file locations and addresses are saved to a hidden .DAT file somewhere on the hard disk (varies). The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or non-viral files along with an infectious .EXE file. The second letter of the e-mail address in the From: field is often changed by the virus. As a result, replying to the message will fail due to the invalid address.

The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE files found in the WINDOWS SYSTEM directory and subdirectories. The viral code is encrypted, polymorphic, and uses anti-debugging techniques to make it difficult to detect. Email addresses have been seen encrypted in infected files. These addresses are believed to represent other users that have also been infected from the same point of origin.

In the decrypted body of the virus code, the following comments exist:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler.
written in Malmo (Sweden)

W32/Magistr@MM has a payload routine that, on some systems, may result in cmos/bios info being erased as well as destroying sectors on the hard disk.

Variants

Variants information
Virus Name Type Subtype Differences
W32/Magistr.dam3 Virus - The W32/Magistr.dam3 detection covers executable files which the virus has corrupted. These files are not repairable. They should be deleted and restored from backup.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations