Virus Characteristics
This variant of
W32/Magistr.a@MM is considered a medium risk due to the number of samples received by AVERT.
The variant differs in several ways.
- It uses a more complex encryption technique.
- It deletes all .NTZ files on the local machine.
- It terminates the ZoneAlarm firewall user interface process if it is running (not the entire program).
- It creates a SYSTEM.INI [boot]shell value to run itself at startup.
- It uses random file extensions on the executables which it sends (.bat, .com, .exe, .pif)
- The file name of the attachment that it sends out may be derived from a word within files on the infected system
- It has also been reported to retrieve email addresses from Eudora mailbox files (.MBX), overwrite the WIN.COM/NTLDR file with a program to erase data from the hard disk (the trojan is detected as QZap195, the WIN.COM or NTLDR must be replaced from backups), and send .GIF files found on the local machine to others along with itself.
The characteristics mentioned above are in addition to those found under the W32/Magistr.a@MM description.