SPREADS USING E-MAIL ATTACHMENTS
Virus Name : W32.Magistr
Alias : W32/Magistr.a@MM,
W32/Magistr-a, W32/Magistr@MM, Win32.Magistr.a.
Virus type : File
Infector, E-mail worm
level : Medium
is a complex polymorphic worm spreads via email
and it contains virus components to infect PE
*.SCR] in Windows
environment. It infects local machine and PCs
connected to the local network (LAN). This virus
is frequently reported in the wild.
contains an extremely dangerous payload, it will damage the
motherboard and the hard disk. It will e-mail
your document and text files too. So it may
distribute your confidential information.
new modified variant of Magistr
virus is spreading in the wild. This variant will
send the infected mails with .COM, .BAT, .PIF
extensions too. It overwrites WIN.COM and
NTLDR files with a destructive Trojan
program. It also deletes all .NTZ files and
terminates the ZoneAlarm firewall software, if
The payload of Magistr is
stolen from deadly Win95/CIH
virus. The computer motherboards manufactured in
the last few years store their BIOS on a flash
ROM chip which are rewritable. Magistr virus
directly attacks the code stored in the flash ROM
chip and makes the computer unbootable.
Magistr arrives as an
e-mail attachment, when the infected e-mail
attachment is executed, it will search for
Explorer.exe process in memory and will insert a
110 byte code in the writeable section.
TranslateMessage Function is hooked to point to
that routine and waits three minutes. Then it
scans system registry for e-mail clients Outlook
Express, Netscape Messenger and Internet Mail.
Based on the registry information it collects
e-mail address from .wab, .mbx, .dbx files and
will store in a DAT file to maintain the mailing
list. The decrypted virus body contains the last
10 mailed addresses.
After collecting the
e-mail addresses, it will check for active
internet connection. If present, it will infect
one .EXE or .SCR file and mails to 100 e-mail
addresses. There is a possibility of sending
documents with infected mail. Magistr uses its
own SMTP engine to mail infected attachments. The
SMTP gateway will be 188.8.131.52, 184.108.40.206
After the mailing is
complete, Magistr will add "run="
command in Win.ini or modifies the registry to
load next time automatically. The registry sub
key added will be
Then it searches for all local and network
folders and infects twenty *.EXE and *.SCR files
in one stretch. If windows folder exists in
network machines, it will add "run="
command in the WIN.INI file to load on the next
searches for Word and text files and collects
text from there. These information is combined
with the following texts to form the message body
and subject of the infected mail.
sentences him to
sentence you to
ordered to prison
find him guilty
judgment of conviction
sufficiency of proof
sufficiency of the evidence
against the accused
aux entiers depens
le present arret
conformement a la loi
a fait constater
cadre de la procedure
recurso de apelaci
pena de arresto
mando y firmo
calidad de denunciante
antecedentes de hecho
dictando la presente
Magistr uses complex
polymorphic engines and anti-debugging tricks to
make the detection work complex. It steals up to
512 bytes of code from the program entry point
and stores garbage of polymorphic routines there.
By fixing this code, the infected file is safely
recovered. Solo cleans Magistr virus
One month after
infection, Magistr will overwrite all files with
the text "YOUARESHIT". It will also
erase your CMOS memory, Flash BIOS and hard disk
data. It will display the following
message box after the payload is executed.
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT"
Using the internal counter, the
worm will move the icons away from the mouse
pointer. It also contains copyright string
"ARF! ARF! I GOT YOU! v1rus:
Judges Disemboweler. by: The Judges Disemboweler.
written in Malmo (Sweden)"
How can I protect my
Solo has incorporated
Win32/Magistr in its signature file to protect
users from this virus attack. Solo antivirus
registered users are already protected from this
virus. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
to remove this virus?
If you are infected with
Win32/Magistr virus, run Solo antivirus and
choose clean option to repair the worm infected
antivirus can detect and remove Win32/Magistr
virus safely. Since Magistr is a highly
polymorphic virus in few cases it can't be
cleaned. You have to copy the files reported as
"Corrupted" from installation CD or
from backup. Use the following link to Download
30 day trial version of Solo antivirus
remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
purchase Solo antivirus using the link