Magistr is a very dangerous memory resident Win32 worm combined
with virus infection routines. It was found in-the-wild in the
middle of March 2001. Magistr virus spreads via Internet with
infected emails, infects Windows executable files on an affected
machine (local machine) and is able to spread itself over a local
network (LAN).
The virus has an extremely dangerous payload, and depending on
different conditions it erases hard drive data, CMOS memory and
Flash Bios contents in the same way the Win95.CIH (aka Chernobyl)
virus does.
The virus itself is about 30Kb long program written in Assembler,
and that is very large for a virus written in pure Assembler
language. This large size however is caused by virus Win32 EXE
files infection algorithm, email and network spreading routines,
polymorphic engines (there are two ones), payload routines and
many anti-debugging and other tricks used by the virus to make
its detection and disinfection more difficult. Thus this virus is
one of the most complex viruses that are known at the moment.
When the virus is run (from infected message for example, if a
user clicks on an infected attachment) it installs itself memory
resident to Windows memory, then runs in background, sleeps for a
few minutes and run its routines: local and network Win32 EXE
files infection, email spreading, e.t.c.
To install itself to memory the virus gets access to EXPLORER.EXE
process memory (EXPLORER.EXE program image that is actually run
and active in Win32 memory), patches it with a short 110-bytes
"loader" routine that will then run main virus code in EXPLORER's
memory. So the virus installs itself memory resident as a
component of EXPLORER.EXE process and then operates in the
background (being run as EXPLORER's thread). Before run its
routines the virus sleeps for 3 minutes.
The virus then gets a file (usually the first file) in Windows
directory, infects it and registers that file in Windows auto-run
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and in WIN.INI file in [windows] section in "run=" instruction.
So the virus code is activated on each Windows restart.
That file is infected so that the host program is not activated
after virus runs (control is not returned back to host program,
and an affected application just exits). Thus the virus activates
itself from system Registry or from WIN.INI file without any side
effect.
The virus then runs its infection routines that scan directories
and available drives for Win32 PE .EXE and .SCR files and infect
them. First of all the virus tries WINNT, WINDOWS, WIN95 and
WIN98 directories and infects files in there. That routine is
randomly activated in 3 times of 4. Next the virus scans all
local drives and infects files on them.
After that the virus enumerates network resources that are shared
for full access, looks for WINNT, WINDOWS, WIN95, WIN98
directories in there, and infects files in these directories. The
virus also registers itself in there by writing "run="
instruction to WIN.INI file. So remote Win9x systems will get
infection on next Windows startup.
While processing the drives the virus creates a special .DAT file
for its own use. The file name and location depends on the
network name of current machine, for example:
That file is created in Windows directory, or in 'Program Files'
directory, or in root directory of C: drive, or in root directory
of system drive.
The virus affects PE EXE files (Win32 executables) in a complex
and difficult-to-disinfect way. The virus encrypts its main code
with polymorphic engine and writes itself to the end of the file.
To get control on an infected file's start the virus patches the
entry code with one more polymorphic routine that passes control
to the end of the file to main encrypted virus code.
To send infected emails the virus reads the settings of installed
Email client settings from system registry. It gets info on the
following clients:
Outlook Express
Netscape Messenger
Internet Mail and News
The virus then scans email database files of the found e-mail
clients, gets email addresses from there and sends its copies to
the found addresses. The infected messages may have no body (no
text in a message), or a randomly constructed text. The same
applies to the Subject. The attached file name is variable, it
can have EXE or SCR extension. The virus looks in the system for
a PE EXE file up to 132K of length, infects it and attaches to
the message.
The Subject and Body are randomly constructed from words and
sentences that are found in .DOC and .TXT files in the system
(the virus also scans local drives for these files and get texts
from there). Randomly as well the virus uses words and sentences
from the following list:
sentences you ayant délibéré
sentences him to le présent arrêt
sentence you to vu l',27h,'arrêt
ordered to prison conformément à la loi
convict exécution provisoire
, judge rdonn
circuit judge audience publique
trial judge a fait constater
found guilty cadre de la procédure
find him guilty magistrad
affirmed apelante
judgment of conviction recurso de apelaci
verdict pena de arresto
guilty plea y condeno
trial court mando y firmo
trial chamber calidad de denunciante
sufficiency of proof costas procesales
sufficiency of the evidence diligencias previas
proceedings antecedentes de hecho
against the accused hechos probados
habeas corpus sentencia
jugement comparecer
condamn juzgando
trouvons coupable dictando la presente
à rembourse los autos
sous astreinte en autos
aux entiers dépens denuncia presentada
aux dépens
While sending infected messages the virus connects to one of
three email servers using SMTP protocol, and send messages to
there. The virus also randomly (in 4 cases of 5 corrupts) second
letter in a sender name.
The virus stores in its body ten email addresses of already
infected users (like a history of spreading - 10 latest email
addresses the virus was spreading from). While spreading the
virus compares a victim email address with that list, and does
not send messages to addresses that are already infected.
Depending on its internal counters the virus manifests itself: it
gets access to Windows desktop and does not allow to access icons
on the desktop by mouse. When mouse cursor is moved to an icon,
the virus moves the icon out of the cursor. It looks like desktop
icons try to "escape" mouse cursor. The similar effect was first
introduced by Joke.Win.Stupid joke program, but there was a
button 'running away' from mouse cursor, not an icon.
In one month after infecting the computer the virus runs its
payload routine that overwrites all disk files with text
"YOUARESHIT" on all local and network drives. Under Win9x the
virus also erases CMOS, Flash Bios and hard drive data.
The virus then displays the message:
Another haughty bloodsucker.......
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT
The virus contains the "copyright" text in its body:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler. written in Malmo (Sweden)
Disinfection of Magistr.A requires removing the virus from all
disinfectable files with F-Secure Anti-Virus and renaming of all
locked or non-disinfectable files. To be able to disinfect or
delete locked files, you have to exit to pure DOS and clean a
system with a DOS version of F-Prot or AVP. Or in case of Windows
NT, you have to rename the file(s) with a non-executable
extension (for example *.EX1), restart a system and then
disinfect the renamed file and rename it back.
Note: Files that are detected as 'Magistr.poly' or
Magistr.corrupted' are corrupted and can't be disinfected. They
should be deleted and restored from a backup.
Magistr.b is an improved version of the original Magistr
virus-worm. The differences are between the new and the original
versions are:
The payload routine is improved by another branch that will
overwrite WIN.COM file in Windows directory and NTLDR file in C:
root directory with a program that erases hard drive data at
startup. That is done for local and for network shared drives as
well.
While infecting a local file Magistr can encrypt the entry
routine with a key that depends on a computer's name. That makes
disinfection of infected files much more difficult. The virus
does not encrypt files it infects on a remote computer and it
also doesn't encrypt files that are smaller than 131 kilobytes.
To spread with emails the worm also looks for Eudora email data
as well.
While infecting network drives the worm looks for more Windows
directory names:
WINNT
WINDOWS
WIN95
WIN98
WINME
WIN2000
WIN2K
WINXP
When infecting a computer over a network, the worm registers
itself in WIN.INI and SYSTEM.INI files there. In WIN.INI file,
the worm adds its execution string after 'Run=' variable in
'[Windows]' section, in SYSTEM.INI file the worm adds itself
after 'Shell=' variable in [Boot] section.
The worm looks for GIF files, and can send GIF images out of an
infected computer, as well as it can send out a clean DOC files
(as original version does).
The worm destroys *.NTZ files each time it locates such a file.
It also attempts to terminate ZoneAlarm firewall if it is
installed, but fails and ZoneAlarm continues to protect the
machine.
F-Secure Anti-Virus detects and disinfects Magistr.B
virus-worm with the latest updates.
Disinfection of Magistr.b requires removing the virus from all
disinfectable files with F-Secure Anti-Virus and renaming of all
locked or non-disinfectable files. To be able to disinfect or
delete locked files, you have to exit to pure DOS and clean a
system with a DOS version of F-Prot or AVP. Or in case of Windows
NT, you have to rename the file(s) with a non-executable
extension (for example *.EX1), restart a system and then
disinfect the renamed file and rename it back.
Note: Files that are detected as 'Magistr.b.poly' or
Magistr.b.corrupted' are corrupted and can't be disinfected. They
should be deleted and restored from a backup.
---- Alternative disinfection with AVP engine ----
As Magistr encrypts files larger than 131 kilobyte with a key
that depends on a computer's name, disinfection of such files
should be performed only on the computer that they were infected
on. Before disinfecting such files you have to first download the
following utility:
Unpack the archive to some folder and do the following:
1. Run DISINF.EXE file. It will create DISINF.INI file with
different data in it, including ComputerName needed for
disinfection.
2. Scan DISINF.INI file with FSAV. The special routine in the
database will get computer's name from DISINF.INI file.
3. Scan an infected computer and disinfect Magistr. The
disinfection routine will use ComputerName previously taken from
DISINF.INI file to decrypt infected files.
Note that if you reboot a computer and want to continue
disinfection of encrypted files, you have to start from pp.2
above.
Also please note that this solution is only available for AVP
engine and for FSAV for DOS (32-bit version).
[E. Kaspersky, KL; A. Podrezov, F-Secure; March 15th, 2001, September 6th, 2001]
![](/images/pixel.gif"){kind=tracking}
