W32.Magistr Virus Characteristics and Removal instructons

MAGISTR SPREADS USING E-MAIL ATTACHMENTS

Virus Name : W32.Magistr

Alias : W32/Magistr.a@MM, I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr.24876@mm, W32/Disemboweler, W32/Magistr-a, W32/Magistr@MM, Win32.Magistr.a.

Virus type : File Infector, E-mail worm

Threat level : Medium

Virus details :

Magistr is a complex polymorphic worm spreads via email and it contains virus components to infect PE files [*.EXE, *.SCR] in Windows environment. It infects local machine and PCs connected to the local network (LAN). This virus is frequently reported in the wild.

Magistr contains an extremely dangerous payload, it will damage the motherboard and the hard disk. It will e-mail your document and text files too. So it may distribute your confidential information.

A new modified variant of Magistr virus is spreading in the wild. This variant will send the infected mails with .COM, .BAT, .PIF extensions too. It overwrites WIN.COM and NTLDR files with a destructive Trojan program. It also deletes all .NTZ files and terminates the ZoneAlarm firewall software, if found active.

The payload of Magistr is stolen from deadly Win95/CIH virus. The computer motherboards manufactured in the last few years store their BIOS on a flash ROM chip which are rewritable. Magistr virus directly attacks the code stored in the flash ROM chip and makes the computer unbootable.

Magistr arrives as an e-mail attachment, when the infected e-mail attachment is executed, it will search for Explorer.exe process in memory and will insert a 110 byte code in the writeable section. TranslateMessage Function is hooked to point to that routine and waits three minutes. Then it scans system registry for e-mail clients Outlook Express, Netscape Messenger and Internet Mail. Based on the registry information it collects e-mail address from .wab, .mbx, .dbx files and will store in a DAT file to maintain the mailing list. The decrypted virus body contains the last 10 mailed addresses.

After collecting the e-mail addresses, it will check for active internet connection. If present, it will infect one .EXE or .SCR file and mails to 100 e-mail addresses. There is a possibility of sending documents with infected mail. Magistr uses its own SMTP engine to mail infected attachments. The SMTP gateway will be 209.247.194.44, 63.241.16.56 or 207.46.230.218.

After the mailing is complete, Magistr will add "run=" command in Win.ini or modifies the registry to load next time automatically. The registry sub key added will be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Then it searches for all local and network folders and infects twenty *.EXE and *.SCR files in one stretch. If windows folder exists in network machines, it will add "run=" command in the WIN.INI file to load on the next startup.

Magister searches for Word and text files and collects text from there. These information is combined with the following texts to form the message body and subject of the infected mail.

sentences you
sentences him to
sentence you to
ordered to prison
convict
, judge
circuit judge
trial judge
found guilty
find him guilty
affirmed
judgment of conviction
verdict
guilty plea
trial court
trial chamber
sufficiency of proof
sufficiency of the evidence
proceedings
against the accused
habeas corpus
jugement
condamn
trouvons coupable
a rembourse
sous astreinte
aux entiers depens
aux depens
ayant delibere
le present arret
vu l'arret
conformement a la loi
execution provisoire
rdonn
audience publique
a fait constater
cadre de la procedure
magistrad
apelante
recurso de apelaci
pena de arresto
y condeno
mando y firmo
calidad de denunciante
costas procesales
diligencias previas
antecedentes de hecho
hechos probados
sentencia
comparecer
juzgando
dictando la presente
los autos
en autos
denuncia presentada

Magistr uses complex polymorphic engines and anti-debugging tricks to make the detection work complex. It steals up to 512 bytes of code from the program entry point and stores garbage of polymorphic routines there. By fixing this code, the infected file is safely recovered. Solo cleans Magistr virus without problems.

One month after infection, Magistr will overwrite all files with the text "YOUARESHIT". It will also erase your CMOS memory, Flash BIOS and hard disk data. It will display the following message box after the payload is executed.

"Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT"

Using the internal counter, the worm will move the icons away from the mouse pointer. It also contains copyright string

"ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler. written in Malmo (Sweden)"

How can I protect my system?

Solo has incorporated Win32/Magistr in its signature file to protect users from this virus attack. Solo antivirus registered users are already protected from this virus. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this virus?

If you are infected with Win32/Magistr virus, run Solo antivirus and choose clean option to repair the worm infected files. Solo antivirus can detect and remove Win32/Magistr virus safely. Since Magistr is a highly polymorphic virus in few cases it can't be cleaned. You have to copy the files reported as "Corrupted" from installation CD or from backup. Use the following link to Download 30 day trial version of Solo antivirus [1670 KB] to remove viruses from your computer.

Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link