Magistr is a polymorphic virus from Sweden that is capable of mass mailing itself to addresses found within the Windows Address Book, Outlook, and Netscape address books as well as to addresses found in e-mail within these mailboxes. The subject and body of the infected e-mail changes, using file names found on the infected computer. Magistr may send more than one .exe file as an attachment, and may also send non-infected attachments. Magistr's code is encrypted, and uses anti-debugging techniques to avoid detection. Magistr also contains a destructive payload. Within the last few weeks, antivirus companies have seen an increase in the number of submissions for this virus. Therefore, Magistr has been updated to a 7 on the ZDNet Virus Meter.
How it works
Magistr arrives as an e-mail with the following:
Subject: [random]
Body: [random]
Attachement: [random]
If the attached infected file is executed, Magistr will randomly infect a file, then add the infected file name to the RUN= line in the Win.ini file. It will also add the infected file name to the system Registry:
HKLMSoftwareMicrosoftWindows CurrentVersionRun(infected filename)
When executed, Magistr displays the following message:
Another haughty bloodsucker…….
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SH--
Magistr then obtains the user's e-mail name from the Registry (if using Outlook) or the Perfs.js (if using Netscape) and updates the last 10 infected users list stored within its viral code. Magistr then searches for all sent e-mail addresses, and sends randomly constructed messages to up to 100 people.
If the virus remains active for one month and has sent 100 copies of itself, Magistr will destroy the computer's CMOS/BIOS information as well as sectors on the hard drive on Windows 95, 98, and Me systems. Magistr will overwrite every 25th file with the words YOUARESH-- as many times as it can, and delete every other file on the hard drive.
Within its code, Magistr contains the following attribution:
ARF! ARF! I GOT YOU! v1rus: Judges
Disemboweler. by The Judges Disemboweler
written in Malmo (Sweden)
Removal and prevention
The following antivirus software vendors have updated their signature files to detection and repair Magistr: McAfee, Sophos, Trend Micro, Central Command, and Symantec. Central Command now offers a special tool designed to remove Magistr.
Prevention
Here are the key steps for preventing this virus outbreak:
- Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that this patch does not include Outlook Express. Click here for help with installation, or for more information regarding this patch.
- "Don't open attachments!" One way to prevent virus infections is not to open attachments, especially when viruses such as Magistr are being actively circulated. Even if the e-mail is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.
- Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Viruses, Bugs, Security Alerts page.
- Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.
- Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
- Update your anti-virus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.
To stay up-to-date on the latest virus alerts and solutions, bookmark our Virus Protection Guide.
