Hi,
I feel for you.
It tried to get in but Mcafee squished it.
How bad was the damage?
How many computers?
were you able to recover computers?
Ben Johansen
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of David Atkinson
Sent: Friday, June 29, 2001 2:21 PM
To: RBase List
Subject: Description of mjistr virus
Re the Magistr Virus which caught us with our pants down - I received the
following:
David Atkinson
[EMAIL PROTECTED]
www.skidbusters.co.uk
----- Original Message -----
From: "John Blaney" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 29, 2001 5:18 PM
Subject: Description of majistr virus
>
> Win32.Magistr.24876 (also known as W32/Magistr@MM, PE_MAGISTR.A,
> W32.Magistr.24876 and I-Worm.Magistr)
> Magistr is a polymorphic binary virus/worm targeting Windows 9x/ME/2K
> systems and has been reported from the field.
>
> When run, this virus will make a copy of an EXE or SCR file in the system
> directory, give it a slightly different name and infect the copy. The
virus
> then adds a reference to this infected file to the following registry key:
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
>
> For example, under test conditions the virus copied "CFGWIZ32.EXE" to
> "CFGWIZ31.EXE" and added the key:
>
>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CFGWIZ31="C
> :\WINDOWS\SYST EM\CFGWZ31.EXE"
>
> It may also add the filename to the "run=" line in WIN.INI.
>
> On the next reboot, the infected copy will infect other .EXE and .SCR
files
> in the System directory and its subdirectories.
>
> The virus searches for e-mail addresses in Outlook Express and Netscape
> mailboxes, as well as the Windows address book (.WAB) files. It stores
> information about the location of these mailboxes in a hidden file in the
> Windows directory with the extension ".dat". The rest of the filename is
> randomly generated based on the computer name.
>
> Using its own SMTP code (by connecting to the mailserver directly), the
> virus then sends an e-mail message to all of the addresses it has found.
The
> subject and body of the e-mail are taken from files on the infected
> machine's hard drive, and therefore may be any collection of ASCII
> characters. An infected file is attached to the e-mail.
>
> Besides using SMTP to spread, Magistr also tries to connect to shares in
the
> network neighborhood. If it can connect to a network drive, it will try to
> copy itself to the following directories and add a "run=" line to the
> WIN.INI file on the remote machine to infect it on the next startup:
>
> WIN95
> WIN98
> WINDOWS
> WINNT
>
> The virus code contains a procedure to overwrite files on the hard drive
as
> well as the CMOS data and Flash BIOS code. Whilst the CMOS data is
> recoverable, the loss of the Flash BIOS code could potentially render a
> computer unbootable.
>
>
>
>
> _______________________________________________
>
>
