Magistr: blends virus and worm with multilevel polymorphism.
Kaspersky Labs has warned computer users about the discovery of a new extremely dangerous computer virus "Magistr," which spreads via e-mail and local area networks, and uses a set of nifty techniques to hide its presence in infected computers which makes it very difficult to detect and disinfect. According to the comments found in the virus body, it was written in Malmo, Sweden by a hacker going by the pseudonym of "The Judges Disemboweler."Kaspersky Lab has already received several reports about the worm "in-the-wild." "Magistr can enter a computer three ways: first, via e-mail messages when a user has accidentally launched the infected attached file; second, using the local area network (LAN) by infecting files found on available servers' and workstations' shared resources; third, when an infected file has been delivered to a system by any removable storage media or downloaded from the Internet or other networks. Once the infected file is executed, the virus initiates the procedure of penetration into the system, mass e-mail distribution and, after some time, it activates the built-in destructive payload.
To complete the mass e-mail distribution, 'Magistr' scans the Outlook Express, Internet Mail and Netscape Messenger mail databases and Windows address book, and reads all e-mail addresses. Details about the mail databases location and their names stored in a special file having the DAT extension. The name of the file is derived by encrypting the original computer's name. For instance, if a computer has a name CS-GOAT, then the file will be named WG-SKYT.DAT. Depending on the first character of the filename, the virus copies this file in the C: drive root directory or the "Windows" or "Program Files" directory.
After this, "Magistr" invisibly retrieves the SMTP server that is connected to the infected computer, and, on behalf of the user, sends out e-mail messages through the server containing random PE EXE or SCR files less than 132Kb in size that are already infected with the virus. The subjects of the messages are randomly selected from DOC and TXT files found on the computer or from the list of some English, Spanish and French phrases planted in the virus body. The body of the messages contains no text. Such inconstancy of outward appearance of the distributed e-mails significantly complicates the identification of infected e-mails by users themselves. It is important to note that when sending I out infected e-mails, "Magistr" randomly changes the sender's return address by deleting or changing some characters. This fact also helps the virus hide its activity, since the recipient cannot answer the message because of an incorrect return address. Thus, the sender is not able to ascertain that the virus is sending out unauthorized messages from his or her computer.
After the virus code is executed, "Magistr" infects all PE EXE and SCR files found in "Windows," 'WinNT, "Win95 and "Wing98 catalogues of all local and network drives connected to this particular computer. After this, the virus scans all available network resources, looks for the aforementioned catalogues, and infects PE EXE and SCR files there. When infecting the files, 'Magistr' uses several very sophisticated techniques that significantly complicate its detection and removal. The virus is divided into three parts with two of them encrypted with a strong polymorphic algorithm, so the infected file appears in the following way. See the screen shot at https://www.kaspersky.com/news.asp?tnews =0&nview=l&id=169&page=0 Therefore, after the infected file is run, the virus immediately intercepts its execution in the program's entry point, and redirects the program's processor to the main virus code. Only after the main virus code has been completed does the virus return control to the original program. In order to secure its constant presence in the infected systems, 'Magistr' modifies the WIN.INI configuration file and Windows system registry in a way that the virus is activated each time the system boots up. When infecting network resources, the virus modifies the WIN.INI file only.
"Magistr" carries a very dangerous destructive payload. One month after the day of the first infection, the virus destroys all files on local and network drives on computers running Windows NT/2000 by replacing their original contents with the string "YOUARESHIT". Under Windows 95/98, the virus additionally discards the CMOS memory settings (CMOS contains the computer boot up hardware settings) and, just like the "Chernobyl" (CIH) virus, destroys data in FLASH BIOS microchip. After this, it displays the following message box:
Another haughty bloodsucker.... YOU THINK YOU ARE GOD, BUT YOU ARE ONLY A CHUNK OF SHIT www.kaspersky.com
Printer friendly Cite/link Email Feedback | |
Title Annotation: | Virus Notes |
---|---|
Publication: | Database and Network Journal |
Date: | Apr 1, 2001 |
Words: | 765 |
Previous Article: | CertainT 100. |
Next Article: | Kournikova worm through net. |