Magistr: A Recipe of Blending Virus and Worm with Some Multilevel Polymorphism Flavour Thursday 15 March 2001 PDF Print Cambridge, United Kingdom, March 15, 2001 – Kaspersky Labs, an international data-security software-development company, warns computer users about the discovery of a new extremely dangerous computer virus "Magistr," which spreads via e-mail and local area networks, and uses a set of nifty techniques to hide its presence in infected computers making it very difficult to detect and disinfect. According to the comments found in the virus body, it was written in Malmo, Sweden by a hacker going by the pseudonym of "The Judges Disemboweler." Kaspersky Lab has already received several reports about the worm "in-the-wild." "Magistr" can enter a computer three ways: firstly, via e-mail messages when a user has accidentally launched the infected attached file; secondly, using the local area network (LAN) by infecting files found on available servers’ and workstations’ shared resources; thirdly, when an infected file has been delivered to a system by any removable storage media or downloaded from the Internet or other networks. Right after the infected file is executed, the virus initiates the procedure of penetration into the system, mass e-mail distribution and, after some time, it activates the built-in destructive payload. To complete the mass e-mail distribution, "Magistr" scans the Outlook Express, Internet Mail and Netscape Messenger mail databases and Windows address book, and reads all e-mail addresses. Details about the mail databases location and their names are stored in a special file having the DAT extension. The name of the file is derived by encrypting the original computer's name. For instance, if a computer has a name CS-GOAT, then the file will be named WG-SKYF.DAT. Depending on the first character of the filename, the virus copies this file in the C: drive root directory or the "Windows" or "Program Files" directory. After this, "Magistr" invisibly retrieves the SMTP server that is connected to the infected computer, and, on behalf of the user, sends out e-mail messages through the server containing random PE EXE or SCR files less than 132Kb in size that are already infected with the virus. The subjects of the messages are randomly selected from DOC and TXT files found on the computer or from the list of some English, Spanish and French phrases planted in the virus body. The body of the messages contains no text. Such inconstancy of outward appearance of the distributed e-mails significantly complicates the identification of infected e-mails by users themselves. It is important to note that when sending out infected e-mails, "Magistr" randomly changes the sender's return address by deleting or changing some characters. This fact also helps the virus hide its activity, since the recipient cannot answer the message because of an incorrect return address. Thus, the sender is not able to ascertain that the virus is sending out unauthorised messages from their computer. Right after the virus code is executed, "Magistr" infects all PE EXE and SCR files found in "Windows," "WinNT," "Win95" and "Win98" catalogues of all local and network drives connected to this particular computer. After this, the virus scans all available network resources, looks for the aforementioned catalogues, and infects PE EXE and SCR files there. When infecting the files, "Magistr" uses several very sophisticated techniques that significantly complicate its detection and removal. The virus is divided into three parts with two of them encrypted with a strong polymorphic algorithm, so the infected file appears in the following way: Magistr.bmp (please contact Marylebone Media Relations 0118 9755188 if you wish to receive the file) Therefore, after the infected file is run, the virus immediately intercepts its execution in the program's entry point, and redirects the program's processor to the main virus code. Only after the main virus code has been completed does the virus return control to the original program. In order to secure its constant presence in the infected systems, "Magistr" modifies the WIN.INI configuration file and Windows system registry in a way that the virus is activated each time the system boots up. When infecting network resources, the virus modifies the WIN.INI file only. "Magistr" carries a very dangerous destructive payload. One month after the day of the first infection, the virus destroys all files on local and network drives on computers running Windows NT/2000 by replacing their original contents with the string "YOUARESHIT". Under Windows 95/98, the virus additionally discards the CMOS memory settings (CMOS contains the computer boot up hardware settings) and, just like the "Chernobyl" (CIH) virus, destroys data in FLASH BIOS microchip. After this, it displays the following message box: Another haughty bloodsucker....... YOU THINK YOU ARE GOD , BUT YOU ARE ONLY A CHUNK OF SHIT Depending on the internal triggers, the virus also executes yet another payload subroutine that invokes the "runaway icons" effect: if a user tries to point the cursor to a desktop icon, the icon immediately changes its location so the user cannot start the correspondent application: Magistr_icons.bmp (please contact Marylebone Media Relations 0118 9755188 if you wish to receive the file) "In this particular case, we are dealing with a very complex and technologically advanced computer virus, which is powered by all the most effective ways of spreading, infection, masquerading and has a very dangerous payload," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "As a matter of fact, ’Magistr’ is a result of the successful crossing of the outstanding spreading speed of the ’ILOVEYOU’ virus and ’Chernobyl's’ extreme destructiveness." Taking into account the danger and breath-taking spreading of the "Magistr" virus, Kaspersky Lab recommend its users update the Kaspersky Anti-Virus anti-virus database as soon as possible. Protection against the virus has already been added to the program's daily update. Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers. About Kaspersky Lab Kaspersky Labs Int. is a fast growing international privately owned data-security software-development company with offices in Moscow (Russia), Cambridge (UK) and Walnut Creek (United States). Founded in 1997, the company concentrates its efforts on the development of world-leading anti-virus technologies and software. Kaspersky Lab also provides free online security related Internet information services. The company markets, distributes and supports its software and services in more than 40 countries worldwide. Media Contacts Denis Zenkin Kaspersky Lab, Ltd. Phone: +7 (095) 797 87 00 E-mail: firstname.lastname@example.org WWW: http://kaspersky.com Sara Claridge Marylebone Media Relations Phone +44 118 975 5188 E-mail email@example.com This press release was distributed by ResponseSource Press Release Wire on behalf of Marylebone Media Relations in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.