My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Magistr.B@mm

HIGH
HIGH
30 K
(N/A)

Symptoms

-none

Removal instructions:

Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you\'ll have to manually delete the infected files located in archives
and the infected messages from your mail client.


To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

The BitDefender AntiMagistr.B tool does the following:
- it cleans all files infected with Win32.Magistr (all known versions)
- it kills the process from memory;
- it repairs the Windows registry.

Analyzed By

Marius Gheorghescu
BitDefender Virus Researcher

Technical Description:

This virus is an improved and more stable version of the Win32.Magistr.A@mm.
It\'s decryption routine is more elaborate and the original data from the Entry Point is now encrypted with a key generated from the computer name. Because of this, cleaning the infected files is more difficult.

It is able to infect more computers connected in a network because it now looks for more Windows directory names than the previous version.

In network infection it searches for the following directory names:

WINDOWS
WIN95
WIN98
WINME
WINNT
WIN2000
WIN2K
WINXP


and infects the files in those directories. After that it registers itself in WIN.INI and SYSTEM.INI under the [Windows] and [Run] sections for WIN.INI and under [boot] and [Shell] sections for SYSTEM.INI.

On the local machine it adds itself in the registry under the following key: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
with the name of the first infected file and the value the path to that file.

This new version search for e-mail addresses in Eudora\'s address book, in addition to the previous e-mail clients such as Outlook Express, Netscape and so on.

The texts for e-mail body are now in French too. The word used to compose the message are in the following list:

habeas corpus
judgement
condamnИ
trouvons coupable
Ю rembourse
sous astreinte
aux entiers depens
aux depens
ayant delibere
le present arret
vu l\'arret
conformement a la loi
execution provisoire
ordonne
audience publique
a fait constater
cadre de la procedure
magistrad
.

Now the virus sends trough e-mail not only doc files but .GIF images too. The virus checks for existence of ZoneAlarm firewall and if it exists, the virus terminates it.