Win32:Magistr
is a very dangerous combination of worm and virus which has been discovered during March 2001. It spreads via infected emails and it also infects Windows executables on both local and network shared disks.The virus has a very nasty payload: it is able to erase hard drive data, CMOS memory and Flash Bios. It uses similar code as Win95:CIH does for this. Win32:Magistr is written in Assembler and is about 30Kb long. It uses two polymorphic methods.
When the infected program is run, virus installs itself in memory and then runs in background. It will activate after several minutes, so the connection between its activity and running the infected program is not so obvious. Virus installs itself as a component of EXPLORER.EXE process. The virus then infects the random file in Windows directory and registers that file so it will be executed on each Windows restart.
The virus then tries to infect all Win32 PE files - at first in the Windows directories, finally on all local drives and shared network drives. On the shared drives virus registers itself on other computers by writing the run= line into the WIN.INI file.
Win32:Magistr infects the PE EXE files in a very complex way. It patches the entry code with one more polymorphic routine that passes control to the end of the file to main encrypted virus code.
Virus then checks for the installed Email clients (Outlook Express, Netscape Messenger, Internet Mail and News) and gets the email addresses from them. It sends itself to those addresses using its own SMTP routine. Such messages may have no body or a random text harvested in the DOC or TXT files found on the local disks. The same is true for the Subject. The attached file name is variable, but it always has EXE or SCR extension.
Win32:Magistr sometimes shows its presence on the computer: When mouse cursor is moved to an icon, the virus moves the icon out of the cursor. It looks like desktop icons try to "escape" mouse cursor.
In one month after infecting the computer the virus runs its payload routine that overwrites all disk files with text "YOUARESHIT" on all local and network drives. Under Win9x the virus also erases CMOS, Flash Bios and hard drive data.
The virus then displays the following message:
Another haughty bloodsucker....... YOU THINK YOU ARE GOD , BUT YOU ARE ONLY A CHUNK OF SHIT
The virus contains the "copyright" message in its body:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler. written in Malmo (Sweden)
Any avast! with VPS file dated after 3rd April 2001 is able to detect this virus.
