It open explorer.exe process and tries to find a gap big enough for exactly 110 bytes of code. If that is successful it searches for TranslateMessage api in User32.dll memory space and patches it when found, so that it executes the 110 bytes code stub when the api is called and then returns to original api offset. Then it creates a thread and sleeps for 3 minutes and then becomes active in memory. It gets the current windows directory. Infects a file from there and puts it in win.ini and in the registry so that the virus gets executed every time the computer is rebooted.
It infects .EXE and .SCR files on local and remote drives if the virus has a write access. If it finds a suitable file for infection it puts a polymorphic code stub at the entry point of the infected file. It puts several anti-debugging tricks in this stub to avoid detection. This stub can be 512 bytes in size. It puts a crypted copy of itself in the last section and that is decrypted with a polymorphic decryption loop that is attached to it. Then it calculates a new valid checksum for that file and puts it in the checksum field in the PE header.
EnableAutodial registry key is modified so that the computer will dial automatically upon request. It makes a register query to get information about the mail server, email address and display name, Magistr also tries to retrieve this information from eudora.ini. It scans for email addresses in windows address book files, .wab, .mbx, .dbx and sent files, it skips files that are smaller than 512 bytes. Then Magistr emails itself to those email addresses and uses one of those extension .exe, .bat, .pif, .com. It does not send a file that is larger than 131072 bytes. The subject name is taken randomly from .doc files that are larger than 3072 bytes and from .txt files.
It has a load of those, ranging from seldom used instruction to detecting a known debugger drivers in memory. The entry stub mainly uses exception handling tricks to fool debuggers and this variant uses uncommon opcodes in its poly genaration. After it has decrypted itself and run the virus code, it checks if SoftIce is active or other debuggers. If there any debuggers detected it zeroes the debugging registers and calls the payload routine. If it encounter *.ntz files while searching for files it deletes them.
- When the right conditions are met, Magistr decrypts 672 bytes of code. In this code are the destructive BIOS overwriting payload and Messages that are displayed when the payload runs. These messages are displayed in a MessageBox and contains the text “Another haughty bloodsucker.......”, “YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT”
- Goes through all the files and overwrites every 25th with this text “YOUARESHIT”. It tries to overwrite sectors on the disk and after it will try to flash the BIOS.
- After a certain amount of days after the computer gets infected icons sometimes tries to evade the mouse cursor, making it impossible to work on the computer.
- It overwrites ntldr and windows\win.com with a destructive code.
The following texts can be found in the virus body:
sentences him to
sentence you to
ordered to prison
find him guilty
judgment of conviction
sufficiency of proof
sufficiency of the evidence
against the accused
aux entiers dépens
le présent arrêt
conformément à la loi
a fait constater
cadre de la procédure
recurso de apelaci
pena de arresto
mando y firmo
calidad de denunciante
antecedentes de hecho
dictando la presente