DouglasDigby
16th Mar 2001, 14:26
Following was sent to me by a fellow colleague in the USA; I have no reason to believe that it is a hoax (the person concerned got caught out on the Kournakova virus and is now playing things very carefully!). The virus isn’t listed yet on my “favourite” virus site (either as a hoax or a danger), http://www.antivirus.com/vinfo/ but these things take time to show up I guess. I have checked, it is listed on the www.norman.com.au (http://www.norman.com.au) site.
“Please pay attention to any attachments or files you download from the internet, for a very destructive virus. These Software hackers are getting more clever. The name and subject line of this one varies continuously but it is a .exe file attachment.
-----Original Message-----
From: Norman Support [mailto:[email protected]]
Sent: Wednesday, March 14, 2001 4:12 PM
To: [email protected]
Subject: Norman Virus Bulletin
---------------
W32/Magistr@mm
---------------
Aliases:
PE_Magistr.A, W32/Magistr.24876@mm
------------------------
Description of the virus
------------------------
W32/Magistr@mm is a polymorphic virus. It is quite destructive, utilising both hard disk erasure and bios flashing. W32/Magistr uses the same method as Win95/CIH to erase hard disk data and flash memory.
It infects Win32 executables and mass mails itself over email as well as spreading through network resources. It picks up email addresses from Microsoft address book and other files containing email addresses.
The subject, body and name of attachment are randomly created by the virus.
It will usually arrive in email as an EXE file with a random filename. If you execute an infected file your system will be infected and the virus will start its mass mailing routine to propagate itself. It enumerates all networks resources looking for folders with the following names:
WIN98 WIN95 WIN NT WINDOWS.
If a folder with these names is found, it copies itself to these folders and adds an entry to Win.ini to load itself at next system start-up. It will create an entry in Win.ini as well as in the Windows Registry to run itself at each Windows start-up. To do that it creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsof\Window\CurrentVersion\R un
[path\name of infected files]
The virus contains the following encrypted text:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler. written in Malmo (Sweden)
----------------------------------
Detection and removal of the virus
----------------------------------
An update that detects W32/Magistr will soon be published on our website. In the interim, users are encouraged to avoid opening .exe attachments in emails from both trusted and untrusted sources.
Safe Computing
The Norman Team”
(Up-date is listed - 16 Mar - DD)
“Please pay attention to any attachments or files you download from the internet, for a very destructive virus. These Software hackers are getting more clever. The name and subject line of this one varies continuously but it is a .exe file attachment.
-----Original Message-----
From: Norman Support [mailto:[email protected]]
Sent: Wednesday, March 14, 2001 4:12 PM
To: [email protected]
Subject: Norman Virus Bulletin
---------------
W32/Magistr@mm
---------------
Aliases:
PE_Magistr.A, W32/Magistr.24876@mm
------------------------
Description of the virus
------------------------
W32/Magistr@mm is a polymorphic virus. It is quite destructive, utilising both hard disk erasure and bios flashing. W32/Magistr uses the same method as Win95/CIH to erase hard disk data and flash memory.
It infects Win32 executables and mass mails itself over email as well as spreading through network resources. It picks up email addresses from Microsoft address book and other files containing email addresses.
The subject, body and name of attachment are randomly created by the virus.
It will usually arrive in email as an EXE file with a random filename. If you execute an infected file your system will be infected and the virus will start its mass mailing routine to propagate itself. It enumerates all networks resources looking for folders with the following names:
WIN98 WIN95 WIN NT WINDOWS.
If a folder with these names is found, it copies itself to these folders and adds an entry to Win.ini to load itself at next system start-up. It will create an entry in Win.ini as well as in the Windows Registry to run itself at each Windows start-up. To do that it creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsof\Window\CurrentVersion\R un
[path\name of infected files]
The virus contains the following encrypted text:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler. written in Malmo (Sweden)
----------------------------------
Detection and removal of the virus
----------------------------------
An update that detects W32/Magistr will soon be published on our website. In the interim, users are encouraged to avoid opening .exe attachments in emails from both trusted and untrusted sources.
Safe Computing
The Norman Team”
(Up-date is listed - 16 Mar - DD)