Colext/Macondo
Cantina virtual de los COLombianos en el EXTerior
--------------------------------------------------
W32/Magistr@MM
Date Added
3/13/01 11:48:44 AM
Virus Characteristics
W32/Magistr@MM is a combination of a files infector virus and e-mail worm.
-The viral code infects 32 bit PE type files (.exe) files in the WINDOWS
directory and subdirectories.
-The worm part is using mass mailing techniques to send itself to email
addresses stored in several places. The worm installs itself to run at each
system startup.
Five minutes after the virus is run, it attempts a mailing routine. Email
addresses are gathered from the Windows Address Book, Outlook Express
mailboxes, and Netscape mailboxes (address found in the email messages
within existing mailboxes are gathered), and these file locations and
addresses are saved to a hidden .DAT file somewhere on the hard disk
(varies). The messages sent by the worm contain varying subject headings,
body text, and attachments. The body of the message is derived from the
contents of other files on the victim's computer. It may send more than one
attachment and may include non .EXE or non-viral files along with an
infectious .EXE file.
The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE
files found in the WINDOWS SYSTEM directory and subdirectories. The viral
code is encrypted, polymorphic, and uses anti-debugging techniques to make
it difficult detected. Email addresses have been seen encrypted in infected
files. These addresses are believed to represent other users that have also
been infected from the same point of origin.
In the decrypted body of the virus code, the following comments exist:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler.
written in Malmo (Sweden)
W32/Magistr@MM has a payload routine that on some systems may result in
cmos/bios info being erased as well as destroying sectors on the hard disk.
Indications Of Infection
- Increase in size in .EXE files (adds 24Kb or more)
- Infected files use a modified access date of the time of the infection
- Presence of a newly created .DAT file containing email addresses
(representing those users which were sent the virus)
-Entry in WIN.INI RUN=(App)
-Entry in Registry, run key value:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies)
Method Of Infection
This worm which arrives as an .EXE file with varying filenames. Executing
this attachment infects your machine which is used to propagate the virus.
When first ran, the virus may copy one .EXE file in the WINDOWS or WINDOWS
SYSTEM directory using the same name with an altered last character.
For example, CFGWIZ32.EXE becomes CFGWIZ31.EXE, PSTORES.EXE becomes
PSTORER.EXE, etc.
(this naming convention seems to be consistent where the last character of
the filename is decreased by a factor of 1)
This copy is then infected and a WIN.INI entry, or a registry run key value
may be created, to execute this infected file upon system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CFGWIZ31=C:\WINDOWS\SYSTEM\CFGWZ31.EXE
This copied executable infects other PE .EXE files in the SYSTEM directory
and subdirectories, when run. It also infects over open network shares.
This virus will create a .DAT file on the local file system which contains
strings of the files used to grab email address from (.dbx, .mbx, .wab), and
also strings of email addresses which will be used as a target list. The
.DAT file will be named after the machine name, but in an offset method. For
instance, here is a corresponding list of letter equivalents used:
original letter corresponds to
a -> y
b -> x
c -> w
d -> v
e -> u
f -> t
g -> s
h -> r
i -> q
j -> p
k -> o
l -> n
m -> m
n -> l
o -> k
p -> j
q -> i
r -> h
s -> g
t -> f
u -> e
v -> d
w -> c
x -> b
y -> a
z -> z
Numbers are not affected. So a machine name of ABC-123 would have a .DAT
file on the local system named YXW-123.DAT.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Virus Information
Discovery Date: 3/12/01
Origin: Europe
Length: Varies, adds at least 24 Kb
Type: Virus
SubType: worm
Risk Assessment: Medium
Aliases
I-Worm.Magistr (CA), Magistr (F-Secure), PE_MAGISTR.A (Trend),
W32.Magistr.24876@mm (Symantec) , W32/Disemboweler (Panda), W32/Magistr-a
(Sophos)
--------------------------------------------------------------
To unsubscribe send an email to: [EMAIL PROTECTED]
with UNSUBSCRIBE COLEXT as the BODY of the message.
Un archivo de colext puede encontrarse en:
http://www.mail-archive.com/[email protected]/
cortesia de Anibal Monsalve Salazar
