-Don't open anything from me with an attachement!!!!!!!!!!!

[Guest guest]

>All,

Please don't open any files sent from me! My husband opened an .exe file

this morning and well it was a virus. Spent all morning trying to figure

out how I got it and of course get rid of it. So please don't open any

attachements from me unless I tell you what they are for...

Here's the info on the darn thing.....sorry!

Robin

Anyway here's what the virus is w32/magistr.aMMvirus (DOT) .

Virus Profile

Virus Name: Risk Assessment:

W32/Magistr.a@MM Medium

Virus Information:

Date Discovered: 3/12/01

Date Added: 3/13/01

Origin: Europe

Length: Varies, adds at least 24 Kb

Type: Virus

SubType: worm

DAT Required: 4128

Virus Characteristics:

W32/Magistr@MM is a combination of a files infector virus and e-mail worm.

-The viral code infects 32 bit PE type files (.exe) files in the WINDOWS

directory and subdirectories.

-The worm part is using mass mailing techniques to send itself to email

addresses stored in several places. The worm installs itself to run at each

system startup.

Five minutes after the virus is run, it attempts a mailing routine. Email

addresses are gathered from the Windows Address Book, Outlook Express

mailboxes, and Netscape mailboxes (address found in the email messages

within existing mailboxes are gathered), and these file locations and

addresses are saved to a hidden .DAT file somewhere on the hard disk

(varies). The messages sent by the worm contain varying subject headings,

body text, and attachments. The body of the message is derived from the

contents of other files on the victim's computer. It may send more than one

attachment and may include non .EXE or non-viral files along with an

infectious .EXE file.

The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE

files found in the WINDOWS SYSTEM directory and subdirectories. The viral

code is encrypted, polymorphic, and uses anti-debugging techniques to make

it difficult detected. Email addresses have been seen encrypted in infected

files. These addresses are believed to represent other users that have also

been infected from the same point of origin.

In the decrypted body of the virus code, the following comments exist:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.

by: The Judges Disemboweler.

written in Malmo (Sweden)

W32/Magistr@MM has a payload routine that on some systems may result in

cmos/bios info being erased as well as destroying sectors on the hard disk.

Indications Of Infection:

- Icons on the desktop move when the mouse cursor passes over them

- Increase in size in .EXE files (adds 24Kb or more)

- Infected files use a modified access date of the time of the infection

- Presence of a newly created .DAT file containing email addresses

(representing those users which were sent the virus)

-Entry in WIN.INI RUN=(App)

-Entry in Registry, run key value:

HKLM\Software\Microsoft\Windows\CurrentVersion\

Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies)

Method Of Infection:

This worm which arrives as an .EXE file with varying filenames. Executing

this attachment infects your machine which is used to propagate the virus.

When first run, the virus may copy one .EXE file in the WINDOWS or WINDOWS

SYSTEM directory using the same name with an altered last character.

For example, CFGWIZ32.EXE becomes CFGWIZ31.EXE, PSTORES.EXE becomes

PSTORER.EXE, etc.

(this naming convention seems to be consistent where the last character of

the filename is decreased by a factor of 1)

This copy is then infected and a WIN.INI entry, or a registry run key value

may be created, to execute this infected file upon system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

CFGWIZ31=C:\WINDOWS\SYSTEM\CFGWZ31.EXE

This copied executable infects other PE .EXE files in the SYSTEM directory

and subdirectories, when run. It also infects over open network shares.

This virus will create a .DAT file on the local file system which contains

strings of the files used to grab email address from (.dbx, .mbx, .wab), and

also strings of email addresses which will be used as a target list. The

..DAT file will be named after the machine name, but in an offset method. For

instance, here is a corresponding list of letter equivalents used:

Numbers are not affected. So a machine name of ABC-123 would have a .DAT

file on the local system named YXW-123.DAT.

An additional item of note is that this worm often alters the REPLY-TO email

address when mailing itself to others. In a similar fashion to the other

name changes made by this virus, one letter of the address is incremented or

decremented. Thus when attempting to contact the infected user to alert

them, the message is often returned do to this address modification.

Removal Instructions:

All Users:

Use specified engine and DAT files for detection and removal.

Additional Windows ME Info:

NOTE: Windows ME utilizes a backup utility that backs up selected files

automatically to the C:\_Restore folder. This means that an infected file

could be stored there as a backup file, and VirusScan will be unable to

delete these files. These instructions explain how to remove the infected

files from the C:\_Restore folder.