FRISK Software International


Summary of W32/Magistr.32768@mm
Alias:I-Worm.Magistr.b (KAV), W32.Magistr.39921@mm (Symantec)
Length: 32768
Discovered: 1 Sep 2001
Definition files: 1 Sep 2001
Risk Level: High
Distribution:Medium
Infection Method:file infection, mass mailing, spreading over networks.
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
Magistr.32768 is a modified variant of its predecessor Magistr.28672. It is a parasitic, mass mailing, memory resident virus. It has its own SMTP engine. It has a polymorphic decryption loop and a polymorphic entry stub which uses several debugging tricks. It checks if certain debuggers are on the machine. When it is executed it patches explorer.exe and goes resident.


Technical Description

Installing:

It open explorer.exe process and tries to find a gap big enough for exactly 110 bytes of code. If that is successful it searches for TranslateMessage api in User32.dll memory space and patches it when found, so that it executes the 110 bytes code stub when the api is called and then returns to original api offset. Then it creates a thread and sleeps for 3 minutes and then becomes active in memory. It gets the current windows directory. Infects a file from there and puts it in win.ini and in the registry so that the virus gets executed every time the computer is rebooted.

Infecting:

It infects .EXE and .SCR files on local and remote drives if the virus has a write access. If it finds a suitable file for infection it puts a polymorphic code stub at the entry point of the infected file. It puts several anti-debugging tricks in this stub to avoid detection. This stub can be 512 bytes in size. It puts a crypted copy of itself in the last section and that is decrypted with a polymorphic decryption loop that is attached to it. Then it calculates a new valid checksum for that file and puts it in the checksum field in the PE header.

Mailing:

EnableAutodial registry key is modified so that the computer will dial automatically upon request. It makes a register query to get information about the mail server, email address and display name, Magistr also tries to retrieve this information from eudora.ini. It scans for email addresses in windows address book files, .wab, .mbx, .dbx and sent files, it skips files that are smaller than 512 bytes. Then Magistr emails itself to those email addresses and uses one of those extension .exe, .bat, .pif, .com. It does not send a file that is larger than 131072 bytes. The subject name is taken randomly from .doc files that are larger than 3072 bytes and from .txt files.

Anti-Debugging tricks:

It has a load of those, ranging from seldom used instruction to detecting a known debugger drivers in memory. The entry stub mainly uses exception handling tricks to fool debuggers and this variant uses uncommon opcodes in its poly genaration. After it has decrypted itself and run the virus code, it checks if SoftIce is active or other debuggers. If there any debuggers detected it zeroes the debugging registers and calls the payload routine. If it encounter *.ntz files while searching for files it deletes them.

Payload:

  • When the right conditions are met, Magistr decrypts 672 bytes of code. In this code are the destructive BIOS overwriting payload and Messages that are displayed when the payload runs. These messages are displayed in a MessageBox and contains the text “Another haughty bloodsucker.......”, “YOU THINK YOU ARE GOD , BUT YOU ARE ONLY A CHUNK OF SHIT”
  • Goes through all the files and overwrites every 25th with this text “YOUARESHIT”. It tries to overwrite sectors on the disk and after it will try to flash the BIOS.
  • After a certain amount of days after the computer gets infected icons sometimes tries to evade the mouse cursor, making it impossible to work on the computer.
  • It overwrites ntldr and windows\win.com with a destructive code.

The following texts can be found in the virus body:


sentences you
sentences him to
sentence you to
ordered to prison
convict
, judge
circuit judge
trial judge
found guilty
find him guilty
affirmed
judgment of conviction
verdict
guilty plea
trial court
trial chamber
sufficiency of proof
sufficiency of the evidence
proceedings
against the accused
habeas corpus
jugement
condamn
trouvons coupable
à rembourse
sous astreinte
aux entiers dépens
aux dépens
ayant délibéré
le présent arrêt
vu l'arrêt
conformément à la loi
exécution provisoire
rdonn
audience publique
a fait constater
cadre de la procédure
magistrad
apelante
recurso de apelaci
pena de arresto
y condeno
mando y firmo
calidad de denunciante
costas procesales
diligencias previas
antecedentes de hecho
hechos probados
sentencia
comparecer
juzgando
dictando la presente
los autos
en autos
denuncia presentada


Removal Instructions

If you are running Windows 95 / 98 / ME:

Please Start your computer into DOS mode and use F-Prot for DOS. To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE
ME users must use Windows startup-disc to start the computer in MS-DOS mode.

In DOS mode at the command prompt type:


cd \            [ENTER]
cd progra~1     [ENTER]
cd fsi          [ENTER]
cd f-prot       [ENTER]
f-prot.exe      [ENTER]

Set the scanner to “Automatic disinfection.”

If you are running Windows NT / 2000 / XP:

  1. Click “Start” / “Run”/ type “cmd” ENTER
  2. Command Prompt Window appears
  3. Press “Ctrl-Alt-Del” once and click on “Processes”
  4. In “Processes” find “Explorer.exe” and select “End process”. The Desktop will disappear and only the background/wallpaper will be visible and the Command prompt Window.
  5. In the command prompt window type the following:
    cd \            [ENTER]
    cd program files        [ENTER]
    cd fsi          [ENTER]
    cd f-prot       [ENTER]
    
    fpcmd c: /disinf /auto /list [ENTER]
    

When the scanning is done type:

explorer [ENTER]

The Desktop should reappear and you can close the command prompt window.

If you need further information please contact our support department.


Ragnar Gisli Olafsson FRISK Software international
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is