Summary
Summary
Action- More Information
| Included in our products from | October 2001 (3.50) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for disinfecting W32/Magistr-B.
More Information
W32/Magistr-B is a variant of W32/Magistr-A, a memory resident polymorphic Windows 32 executable file virus which spreads by infecting files, and via email.
The virus terminates ZoneAlarm before connecting to the Internet. Then it searches the user's address book, mailboxes and other files present on the computer for email addresses. The virus specifically targets addresses from Outlook Express, Netscape Messenger, Internet Mail and News and Eudora. It then sends itself to these email addresses using its own SMTP client.
The email message it sends has a randomly generated subject and body text. These fields are generated from the contents of document and text files found on the user's computer. As a result they may contain confidential information. The virus sends itself as an email attachment, the name of which is either the original name of the infected file or a randomly generated name. It uses one of the following extensions: COM, BAT, PIF and EXE. Sometimes it also attaches additional GIF, DOC or TXT files to the email.
W32/Magistr-B infects Windows EXE and SCR files on the local machine and in the local network. It deletes all NTZ files while it is searching for files. The virus makes sure that it is automatically run when the computer is restarted, randomly selecting one of the following three methods:
- Adding the following entry to the win.ini file:
[WINDOWS]
run=infectedfilename - Adding the following entry to the system.ini file:
[boot]
shell=explorer.exe infectedfilename - Setting the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\infectedfile = <path to the infected file>
It also modifies the appropriate INI file on other network computers so that they will run the virus when they are restarted.
Depending on the amount of time elapsed since the computer was first infected, and some other internal counters, the following payloads can be activated:
- Overwriting win.com and ntldr with code that will overwrite the master boot sector of the hard disk with garbage next time the computer is restarted.
- Overwriting all files with the string "YOUARESHIT".
- Displaying the message
"Another haughty bloodsucker.......
YOU THINK YOU ARE GOD,
BUT YOU ARE ONLY A CHUNK OF SHIT". - Overwriting (under Win9x) the master boot sector of the hard disk with garbage so the computer won't boot again.
- Making Desktop icons appear to "run away" from the mouse cursor.
|
