This is an improved version of the original “Magistr” email worm and Win32 PE EXE files infector.
The differences are:
The payload routine is imoroved by another branch that will overwrite a WIN.COM file in the Windows directory and an NTLDR file in the C: root directory with a program that erases hard drive data upon start-up. This is done for local and for network
shared drives as well.
While infecting a local file, this virus encrypts an entry routine with a key that depends on the computer’s name. This causes infected-machine disinfection to be much more difficult.
To spread via e-mail, the worm also looks for Eudora email data as well.
While infecting network drives the worm looks for more Windows directories names:
The worm copy is then registered in WIN.INI and SYSTEM.INI files in the following sections:
The worm looks for GIF files, and can send GIF images out of the computer, as well as clean DOC files (as the original version does).
The worm destroys .NTZ files each time if such files are located. It also attempts to terminate the ZoneAlarm firewall if it is installed, but fails and ZoneAlarm continues to protect the machine.