Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you\'ll have to manually delete the infected files located in archives
and the infected messages from your mail client.
To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.
The BitDefender AntiMagistr.B tool does the following:
- it cleans all files infected with Win32.Magistr (all known versions)
- it kills the process from memory;
- it repairs the Windows registry.
BitDefender Virus Researcher
This virus is an improved and more stable version of the Win32.Magistr.A@mm.
It\'s decryption routine is more elaborate and the original data from the Entry Point is now encrypted with a key generated from the computer name. Because of this, cleaning the infected files is more difficult.
It is able to infect more computers connected in a network because it now looks for more Windows directory names than the previous version.
In network infection it searches for the following directory names:
and infects the files in those directories. After that it registers itself in WIN.INI and SYSTEM.INI under the [Windows] and [Run] sections for WIN.INI and under [boot] and [Shell] sections for SYSTEM.INI.
On the local machine it adds itself in the registry under the following key: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
with the name of the first infected file and the value the path to that file.
This new version search for e-mail addresses in Eudora\'s address book, in addition to the previous e-mail clients such as Outlook Express, Netscape and so on.
The texts for e-mail body are now in French too. The word used to compose the message are in the following list:
aux entiers depens
le present arret
conformement a la loi
a fait constater
cadre de la procedure
Now the virus sends trough e-mail not only doc files but .GIF images too. The virus checks for existence of ZoneAlarm firewall and if it exists, the virus terminates it.