The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

 

We Build the Best & Repair the Rest! ©

 

Alerts March 2002

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


October 2002 2001 Alerts 2001 Alerts January 2002 Alerts February 2002 Alerts March 2002 Alerts April 2002 Alerts May 2002 Alerts June 2002 Alerts July 2002 Alerts August 2002 Alerts Sept 2002 Alerts Oct 2002 Alerts Nov 2002 Alerts Dec 2002

 

 

 

 

Top 10 malware reported to Sophos in March 2002

Position Last
month		 Malware Percentage of reports
1 4 W32/Klez-G
   23.7%
2 2 W32/Badtrans-B
   22.8%
3 5 W32/Magistr-B
   6.9%
4 New W32/FBound-C
   6.8%
5 6 W32/Sircam-A
   4.8%
6 7 W32/Magistr-A
   3.6%
7 New W32/Gibe-A
   3.0%
8 New W32/Caric-A
   2.1%
9 9 W32/Hybris-B
   1.7%
10 3 W32/Klez-E
   1.5%
Others 23.1%

 

This section helps you to understand how it behaves

W32/Magistr-B is a variant of W32/Magistr-A, a memory resident polymorphic Windows 32 executable file virus which spreads by infecting files, and via email.

The virus terminates ZoneAlarm before connecting to the Internet. Then it searches the user's address book, mailboxes and other files present on the computer for email addresses. The virus specifically targets addresses from Outlook Express, Netscape Messenger, Internet Mail and News and Eudora. It then sends itself to these email addresses using its own SMTP client.

The email message it sends has a randomly generated subject and body text. These fields are generated from the contents of document and text files found on the user's computer. As a result they may contain confidential information. The virus sends itself as an email attachment, the name of which is either the original name of the infected file or a randomly generated name. It uses one of the following extensions: COM, BAT, PIF and EXE. Sometimes it also attaches additional GIF, DOC or TXT files to the email.

W32/Magistr-B infects Windows EXE and SCR files on the local machine and in the local network. It deletes all NTZ files while it is searching for files. The virus makes sure that it is automatically run when the computer is restarted, randomly selecting one of the following three methods:

Adding the following entry to the win.ini file:

[WINDOWS]
run=infectedfilename

Adding the following entry to the system.ini file:

[boot]
shell=explorer.exe infectedfilename

Setting the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\infectedfile = <path to the infected file>


It also modifies the appropriate INI file on other network computers so that they will run the virus when they are restarted.

Depending on the amount of time elapsed since the computer was first infected, and some other internal counters, the following payloads can be activated:

Overwriting win.com and ntldr with code that will overwrite the master boot sector of the hard disk with garbage next time the computer is restarted.
Overwriting all files with the string "YOUARESHIT".
Displaying the message
"Another haughty bloodsucker.......
YOU THINK YOU ARE GOD,
BUT YOU ARE ONLY A CHUNK OF SHIT".
Overwriting (under Win9x) the master boot sector of the hard disk with garbage so the computer won't boot again.
Making Desktop icons appear to "run away" from the mouse cursor.

 

Google
 


 

 

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next