Worm:W32/Magistr

Classification

Category :

Malware

Type :

Worm

Aliases :

Worm:W32/Magistr

Summary

Magistr is a very dangerous memory resident Win32 worm combined with virus infection routines. It was found in-the-wild in the middle of March 2001.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Magistr virus spreads via Internet with infected emails, infects Windows executable files on an affected machine (local machine) and is able to spread itself over a local network (LAN).

The virus has an extremely dangerous payload, and depending on different conditions it erases hard drive data, CMOS memory and Flash Bios contents in the same way the Win95.CIH (aka Chernobyl) virus does.

The virus itself is about 30Kb long program written in Assembler, and that is very large for a virus written in pure Assembler language. This large size however is caused by virus Win32 EXE files infection algorithm, email and network spreading routines, polymorphic engines (there are two ones), payload routines and many anti-debugging and other tricks used by the virus to make its detection and disinfection more difficult. Thus this virus is one of the most complex viruses that are known at the moment.

Execution

When the virus is run (from infected message for example, if a user clicks on an infected attachment) it installs itself memory resident to Windows memory, then runs in background, sleeps for a few minutes and run its routines: local and network Win32 EXE files infection, email spreading, e.t.c. To install itself to memory the virus gets access to EXPLORER.EXE process memory (EXPLORER.EXE program image that is actually run and active in Win32 memory), patches it with a short 110-bytes "loader" routine that will then run main virus code in EXPLORER's memory. So the virus installs itself memory resident as a component of EXPLORER.EXE process and then operates in the background (being run as EXPLORER's thread). Before run its routines the virus sleeps for 3 minutes.

Infection

The virus then gets a file (usually the first file) in Windows directory, infects it and registers that file in Windows auto-run Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and in WIN.INI file in [windows] section in "run=" instruction. So the virus code is activated on each Windows restart.

That file is infected so that the host program is not activated after virus runs (control is not returned back to host program, and an affected application just exits). Thus the virus activates itself from system Registry or from WIN.INI file without any side effect. The virus then runs its infection routines that scan directories and available drives for Win32 PE .EXE and .SCR files and infect them. First of all the virus tries WINNT, WINDOWS, WIN95 and WIN98 directories and infects files in there. That routine is randomly activated in 3 times of 4. Next the virus scans all local drives and infects files on them.

After that the virus enumerates network resources that are shared for full access, looks for WINNT, WINDOWS, WIN95, WIN98 directories in there, and infects files in these directories. The virus also registers itself in there by writing "run=" instruction to WIN.INI file. So remote Win9x systems will get infection on next Windows startup.

While processing the drives the virus creates a special .DAT file for its own use. The file name and location depends on the network name of current machine, for example:

Machine name File name

  • WIN98 - > CQL98.DAT
  • PUPKIN - > JEJOQL.DAT
  • CS-GOAT - > WG-SKYF.DAT

That file is created in Windows directory, or in 'Program Files' directory, or in root directory of C: drive, or in root directory of system drive.

The virus affects PE EXE files (Win32 executables) in a complex and difficult-to-disinfect way. The virus encrypts its main code with polymorphic engine and writes itself to the end of the file. To get control on an infected file's start the virus patches the entry code with one more polymorphic routine that passes control to the end of the file to main encrypted virus code.

Propagation (email)

To send infected emails the virus reads the settings of installed Email client settings from system registry. It gets info on the following clients:

  • Outlook Express
  • Netscape Messenger
  • Internet Mail and News

The virus then scans email database files of the found email clients, gets email addresses from there and sends its copies to the found addresses. The infected messages may have no body (no text in a message), or a randomly constructed text. The same applies to the Subject. The attached file name is variable, it can have EXE or SCR extension. The virus looks in the system for a PE EXE file up to 132K of length, infects it and attaches to the message.

The Subject and Body are randomly constructed from words and sentences that are found in .DOC and .TXT files in the system (the virus also scans local drives for these files and get texts from there). Randomly as well the virus uses words and sentences from the following list:

  • sentences you ayant delibere
  • sentences him to le present arret
  • sentence you to vu l',27h,'arret
  • ordered to prison conformement e la loi
  • convict execution provisoire
  • judge rdonn
  • circuit judge audience publique
  • trial judge a fait constater
  • found guilty cadre de la procedure
  • find him guilty magistrad
  • affirmed apelante
  • judgment of conviction recurso de apelaci
  • verdict pena de arresto
  • guilty plea y condeno
  • trial court mando y firmo
  • trial chamber calidad de denunciante
  • sufficiency of proof costas procesales
  • sufficiency of the evidence diligencias previas
  • proceedings antecedentes de hecho
  • against the accused hechos probados
  • habeas corpus sentencia
  • jugement comparecer
  • condamn juzgando
  • trouvons coupable dictando la presente
  • rembourse los autos
  • sous astreinte en autos
  • aux entiers depens denuncia presentada
  • aux depens

While sending infected messages the virus connects to one of three email servers using SMTP protocol, and send messages to there. The virus also randomly (in 4 cases of 5 corrupts) second letter in a sender name.

The virus stores in its body ten email addresses of already infected users (like a history of spreading - 10 latest email addresses the virus was spreading from). While spreading the virus compares a victim email address with that list, and does not send messages to addresses that are already infected.

Payload

Depending on its internal counters the virus manifests itself: it gets access to Windows desktop and does not allow to access icons on the desktop by mouse. When mouse cursor is moved to an icon, the virus moves the icon out of the cursor. It looks like desktop icons try to "escape" mouse cursor. The similar effect was first introduced by Joke.Win.Stupid joke program, but there was a button 'running away' from mouse cursor, not an icon.

In one month after infecting the computer the virus runs its payload routine that overwrites all disk files with text "YOUARESHIT" on all local and network drives. Under Win9x the virus also erases CMOS, Flash Bios and hard drive data.

The virus then displays the message:

Another haughty bloodsucker....... YOU THINK YOU ARE GOD , BUT YOU ARE ONLY A CHUNK OF SHIT

The virus contains the "copyright" text in its body:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. By: The Judges Disemboweler. written in Malmo (Sweden)

Variant:Magistr.B

Magistr.b is an improved version of the original Magistr virus-worm. The differences are between the new and the original versions are:

The payload routine is improved by another branch that will overwrite WIN.COM file in Windows directory and NTLDR file in C: root directory with a program that erases hard drive data at startup. That is done for local and for network shared drives as well.

While infecting a local file Magistr can encrypt the entry routine with a key that depends on a computer's name. That makes disinfection of infected files much more difficult. The virus does not encrypt files it infects on a remote computer and it also doesn't encrypt files that are smaller than 131 kilobytes.

To spread with emails the worm also looks for Eudora email data as well.

While infecting network drives the worm looks for more Windows directory names:

  • WINNT
  • WINDOWS
  • WIN95
  • WIN98
  • WINME
  • WIN2000
  • WIN2K
  • WINXP

When infecting a computer over a network, the worm registers itself in WIN.INI and SYSTEM.INI files there. In WIN.INI file, he worm adds its execution string after 'Run=' variable in '[Windows]' section, in SYSTEM.INI file the worm adds itself after 'Shell=' variable in [Boot] section.

The worm looks for GIF files, and can send GIF images out of an infected computer, as well as it can send out a clean DOC files (as original version does). The worm destroys *.NTZ files each time it locates such a file. It also attempts to terminate ZoneAlarm firewall if it is installed, but fails and ZoneAlarm continues to protect the machine.