Magistr Virus

Information about Magistr virus:

                     Magistr is a complex polymorphic worm spreads via email and it contains virus components to infect PE files [*.EXE, *.SCR] in Windows environment. It infects local machine and PCs connected to the local network (LAN). This virus is frequently reported in the wild.

                     Magistr contains an extremely dangerous payload, it will damage the motherboard and the hard disk. It will e-mail your document and text files too. So it may distribute your confidential information.

                     A new modified variant of Magistr virus is spreading in the wild. This variant will send the infected mails with .COM, .BAT, .PIF extensions too. It overwrites WIN.COM and NTLDR files with a destructive Trojan program. It also deletes all .NTZ files and terminates the ZoneAlarm firewall software, if found active.

                     The payload of Magistr is stolen from deadly Win95/CIH virus. The computer motherboards manufactured in the last few years store their BIOS on a flash ROM chip which are rewritable. Magistr virus directly attacks the code stored in the flash ROM chip and makes the computer unbootable.

                     Magistr arrives as an e-mail attachment, when the infected e-mail attachment is executed, it will search for Explorer.exe process in memory and will insert a 110 byte code in the writeable section. TranslateMessage Function is hooked to point to that routine and waits three minutes. Then it scans system registry for e-mail clients Outlook Express, Netscape Messenger and Internet Mail. Based on the registry information it collects e-mail address from .wab, .mbx, .dbx files and will store in a DAT file to maintain the mailing list. The decrypted virus body contains the last 10 mailed addresses.

                     After collecting the e-mail addresses, it will check for active internet connection. If present, it will infect one .EXE or .SCR file and mails to 100 e-mail addresses. There is a possibility of sending documents with infected mail. Magistr uses its own SMTP engine to mail infected attachments. The SMTP gateway will be 209.247.194.44, 63.241.16.56 or 207.46.230.218.

                     After the mailing is complete, Magistr will add "run=" command in Win.ini or modifies the registry to load next time automatically. The registry sub key added will be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Then it searches for all local and network folders and infects twenty *.EXE and *.SCR files in one stretch. If windows folder exists in network machines, it will add "run=" command in the WIN.INI file to load on the next startup.

                     Magister searches for Word and text files and collects text from there. These information is combined with the following texts to form the message body and subject of the infected mail.

sentences you
sentences him to
sentence you to
ordered to prison
convict
, judge
circuit judge
trial judge
found guilty
find him guilty
affirmed
judgment of conviction
verdict
guilty plea
trial court
trial chamber
sufficiency of proof
sufficiency of the evidence
proceedings
against the accused
habeas corpus
jugement
condamn
trouvons coupable
a rembourse
sous astreinte
aux entiers depens
aux depens
ayant delibere
le present arret
vu l'arret
conformement a la loi
execution provisoire
rdonn
audience publique
a fait constater
cadre de la procedure
magistrad
apelante
recurso de apelaci
pena de arresto
y condeno
mando y firmo
calidad de denunciante
costas procesales
diligencias previas
antecedentes de hecho
hechos probados
sentencia
comparecer
juzgando
dictando la presente
los autos
en autos
denuncia presentada

                     Magistr uses complex polymorphic engines and anti-debugging tricks to make the detection work complex. It steals up to 512 bytes of code from the program entry point and stores garbage of polymorphic routines there. By fixing this code, the infected file is safely recovered. Fire cleans Magistr virus without problems.

                     One month after infection, Magistr will overwrite all files with the text "YOUARESHIT". It will also erase your CMOS memory, Flash BIOS and hard disk data. It will display the following message box after the payload is executed.

"Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT"

Using the internal counter, the worm will move the icons away from the mouse pointer. It also contains copyright string

"ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler. written in Malmo (Sweden)"

Removing Magistr virus from your system:

                     Fire has incorporated Magistr into its virus signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit.

                     A free download of FireLite [ 1100KB] version is also available to detect Win32/Magistr virus. Fire anti-virus kit provides perfect cure for Magistr virus. Magistr is also known as W32/Magistr.a@MM, I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr.24876@mm, W32/Disemboweler, W32/Magistr-a, W32/Magistr@MM, Win32.Magistr.a. If you find this virus, use registered version of Fire to remove. To get the registered version of Fire call us at 044-28170440 or mail to service@fireav.com or purchase Fire online using

[Analysis: Mr.Ramesh, Prognet Technologies Pvt. Ltd, Updated on Sept. 2001]