Email-Worm.Win32.Magistr

Detect Date 01/11/2002
Class Email-Worm
Platform Win32
Description

This is an improved version of the original “Magistr” email worm and Win32 PE EXE files infector.

The differences are:

The payload routine is imoroved by another branch that will overwrite a WIN.COM file in the Windows directory and an NTLDR file in the C: root directory with a program that erases hard drive data upon start-up. This is done for local and for network

shared drives as well.

While infecting a local file, this virus encrypts an entry routine with a key that depends on the computer’s name. This causes infected-machine disinfection to be much more difficult.

To spread via e-mail, the worm also looks for Eudora email data as well.

While infecting network drives the worm looks for more Windows directories names:

WINNT

WINDOWS

WIN95

WIN98

WINME

WIN2000

WIN2K

WINXP

The worm copy is then registered in WIN.INI and SYSTEM.INI files in the following sections:

WIN.INI: Windows Run

SYSTEM.INI: boot shell

The worm looks for GIF files, and can send GIF images out of the computer, as well as clean DOC files (as the original version does).

The worm destroys .NTZ files each time if such files are located. It also attempts to terminate the ZoneAlarm firewall if it is installed, but fails and ZoneAlarm continues to protect the machine.