Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Magistr.24876

Win32/Magistr.24876 represents a combination of a virus and of a worm. It attacks executable programs of PE type located on local and network disks. It is able to spread by means of files in the attachments of electronic mail messages.
After an infected file is executed the virus gets installed into memory and runs on the background. The way of its installation into memory is rather complicated – in memory it modifies the file EXPLORER.EXE so that by the means of the file the rest of the virus can be executed. After completing the abovementioned modification the virus waits a certain time period and then attacks a file in the directory in which Windows are installed. By means of creating the key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the system registry the virus ensures activation of this infected file at each system restart. In addition to creating the key in the registers the virus enters a command on virus activation also to the system file WIN.INI.
After ensuring its repeated activation the virus attacks files on local and network disks. On network disks it modifies WIN.INI in a similar way as when attacking a local disk.
When attacking files the virus inserts a polymorphic code into the body of an infected file. That will give the control over to the polymorphic decoder at the end of the virus. The decoder then deciphers the virus body. The virus is able to spread by means of electronic mail on its own, without help of any mail client. It can extract addresses of electronic mail from e-mails stored in Netscape Messenger, Outlook Express and Internet Mail and News. To found addresses it sends a randomly generated e-mail. Subject and body of the message are random and they may contain fragments from documents and text files present on the disk, but they may also be blank. In attachment of the e-mail generated in mentioned way is a file infected by the virus.
The virus has two manifestations – the first one is a harmless but very unpleasant effect when icons on the screen “ran” away from the cursor. A month after the computer was infected the second activating routine overwrites all files on local and network disks by the text YOUARESHIT. Then the virus tries to modify contents of the CMOS memory and flush BIOS. After that it displays the following message:

There is also the following text it the body:

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler. written in Malmo (Sweden).

On its spreading by means of the electronic mail the virus keeps a "log" in the form of the last 10 addresses from which it was spread.The anti-virus system NOD32 version 1.77 and newer can remover this virus. .

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.