> Do any of you have any definitive steps on how to deal with that particular virus/worm or > whatever it is? I myself am not familiar with it. > > Meanwhile, cut him a little slack, will ya :-)
Yeah, I do. (see below) Sorry, but I cannot give you the URL, because Norton has their database set up to hide accesses to individual pages. As list owner of a virus and net security group, I am aware that Jorge is at the moment unable to control his computer, and my suggestion that he be temporarily suspended from the list was not in any way motivated by animosity. It is simply a good way to halt the potential spread of the virus, to other list members, sort of a 'quarantine'. -wittig http://www.robertwittig.com/ -----Info, W32Magister.24876@mm--- Symantec Unitedsecurity response global sites products Category purchase W32.Magistr.24876@mm service and suppDiscovered on: March 13, 2001 security response downloads Last Updated on: September 10, 2001 at 10:32:05 AM PDT about symantec search feedback Printer-friendly version Tell a FrienddTell a Friend IMAGE version Due to the increased number of submissions, SARC has � 1995-2001 updated the threat level of this virus from 3 to 4. Symantec Corporation. W32.Magistr.24876@mm is a virus that has email worm All rights capability. It is also network aware. It infects Windows reserved. Portable Executable (PE) files, with the exception of .d Legal Notices it gathers from the Outlook/Outlook Express mail folders Privacy Policy (.dbx, .mbx), the sent items file from Netscape, and Windows address books (.wab), which are used by mail Express,. The email message may have up to twot Outlook attachments, and it has a randomly generated subject lin and message body. NOTE: In many cases this virus will "touch" files and se viral code and should be considered clean. In such cases it is safe to delete the file and it would be prudent to inform the sender that their system has been infected by the virus. Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm, W32.Magistr.24876.int, W32/Disemboweler, W32.Magistr.corrupt, W32/Magistr-A Type: Virus, Worm Infection Length: varies Virus Definitions: March 13, 2001 Threat Assessment: High High High Wild: Damage: Distribution: High High High IMAGE Wild: Number of infections: 50 - 999 * * Number of sites: More than 10 * Geographical distribution: Medium * Threat containment: Moderate * Removal: Moderate Damage: * Payload: * the Windows Address Book files and Outlook Expre Sent Items folder. * Causes system instability: Overwrites hard drive erases CMOS, flashes the BIOS. * confidential Microsoft Word documents to others. Distribution: * Subject of email: Randomly generated text that can b up to 60 characters long. * Name of attachment: One randomly named infected document files several randomly selected text or * Target of infection: All Windows PE files that are n .dll files. Technical description: When a file that is infected by W32.Magistr.24876@mm is executed, it searches in memory for a readable, writable initialized section inside the memory space of inserted into that area, and the TranslateMessage functi is hooked to point to that routine. This code first appeared in W32.Dengue. and the original TranslateMessage function is called. Th thread waits for three minutes before activating. Then t virus obtains the name of the computer, converts it to a name, creates a file in either the \Windows folder, thet \Program Files folder, or the root folder. This file contains certain information, such as the location of th Then it retrieves the current user's email name andon. address information from the registry (Outlook, Exchange Internet Mail and News), or the Prefs.js file (Netscape) recently infected users, and these names are visible in infected files when the virus is decrypted. After this, the virus searches for the Sent file in the Netscape and \Program Files folders. and .dbx files in the \Windo If an active Internet connection exists, the virus searches for up to five .doc and .txt files and chooses words are used to construct the subject and message body of the email message. Then the virus searches for up to .exe and .scr files smaller than 128 KB, infects one of message, and sends this message to up to 100 people from the address books. In addition there is a 20-percent chance that it will attach the file from which the subje it will add the number 1 to the second character of thea sender address. This last change prevents replies from being returned to you and possibly alerting you to the infection. After the mailing is done, the virus searches for up to .exe and .scr files, and infects one of these files. The there is a 25-percent chance, if the Windows directory i named one of the following: * Winnt Win95 * * Win98 * Windows that the virus will move the infected file into the file is moved, a run= line is added to the Win.ini file run the virus whenever the computer is started. In the other 75 percent of cases, the virus will create a registry subkey in HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run suffix, and the value is the complete file name of thet infected file. The virus then searches all local hard drives and all shared folders on the network for up to 2 .exe and .scr files to infect, and add the run= line if the \Windows folder exists in that location. If the computer has been infected for one month and at least 100 people have been sent an infected file, and if at least three files contain at least three examples fro the following list: sentences you sentences him to sentence you to convict to prison , judge circuit judge found guilty find him guilty affirmed verdictt of conviction guilty plea trial court sufficiency of proof sufficiency of the evidence proceedings habeas corpusccused jugement condamn a rembourseupable sous astreinte aux entiers depens ayant delibere le present arret vu l'arret execution provisoirei rdonn audience publique cadre de la procedure magistrad apelante pena de arrestoaci y condeno mando y firmo costas procesalesiante diligencias previas antecedentes de hecho sentenciaobados comparecer juzgando los autosla presente en autos denuncia presentada This payload is similar to that of W32.Kriz, and it does the following: * Deletes the infected file * Erases CMOS (Windows 9x/Me only) Erases the Flash BIOS (Windows 9x/Me only) * * Overwrites every 25th file with the text YOUARESHIT many times as it will fit in the file * Deletes every other file * Displays the following message: IMAGE * Overwrites a sector of the first hard disk This payload is repeated infinitely. odd days the desktop icons are repositioned whenever the mouse pointer approaches, giving the impression that the icons are "running away" from the mouse: IMAGE If the computer has been infected for three months, then the infected file is deleted. entry point address remains the same, but up to 512 byte of garbage code is placed at that location. This garbage code transfers control to the last section. A polymorphi is hostile to debuggers and will crash the computer if a debugger is found. NOTE: If a file is detected as W32.Magistr.corrupt, this indicates that the file was damaged by the virus and cannot be repaired. Removal instructions: To remove this worm: 1. Run LiveUpdate to make sure that you have the mos recent virus definitions. 2. Start Norton AntiVirus (NAV), and run a full syst 3. If any files are detected as infected byll files. W32.Magistr.24876@mm, choose Repair. 4. Modify the file Win.ini by removing any reference to an infected file from the run= line. In most case on a clean system, the run= line will not be loading anything. To edit the registry: CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent da loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding. Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002. 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Edit 3. Navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run 4. In the right pane, delete the value which references a file infected by W32.Magistr.23876@mm. NOTE: This virus contains bugs which will corrupt some files while attempting to infect them, as well as when t first payload activates. These files cannot be repaired; detected as W32.Magistr.corrupt)p. (These files may be Additional information: What are Portable Executable (PE) files? 32-bit operating systems. The same PE format executablef can be executed on any version of Windows 95, 98, Me, NT and 2000. Therefore, all PE files are executable, but no all executable files are portable. A good example of a Portable Executable is a screen save (.scr) file. Write-up by: Peter Ferrie To unsubscribe from SURVPC send a message to [EMAIL PROTECTED] with unsubscribe SURVPC in the body of the message. Also, trim this footer from any quoted replies. More info can be found at; http://www.softcon.com/archives/SURVPC.html
