Note: To protect the privacy of our members, e-mail addresses have been removed from the archived messages. As a result, some links may be broken.

Find Lesson Plans on! GettyGames

<no subject>


From: MaryAnn Kohl (maryann_at_TeacherArtExchange)
Date: Thu Mar 15 2001 - 10:31:57 PST



This worm which arrives as an .EXE file with varying filenames. Executing
this attachment infects your machine which is used to propagate the virus.
When first ran, the virus may copy one .EXE file in the WINDOWS or WINDOWS
SYSTEM directory using the same name with an altered last character.

W32/Magistr@MM is a combination of a files infector virus and e-mail worm.
-The viral code infects 32 bit PE type files (.exe) files in the WINDOWS
directory and subdirectories.
-The worm part is using mass mailing techniques to send itself to email
addresses stored in several places. The worm installs itself to run at each
system startup.
Five minutes after the virus is run, it attempts a mailing routine. Email
addresses are gathered from the Windows Address Book, Outlook Express
mailboxes, and Netscape mailboxes (address found in the email messages
within existing mailboxes are gathered), and these file locations and
addresses are saved to a hidden .DAT file somewhere on the hard disk
(varies). The messages sent by the worm contain varying subject headings,
body text, and attachments. The body of the message is derived from the
contents of other files on the victim's computer. It may send more than one
attachment and may include non .EXE or non-viral files along with an
infectious .EXE file.

The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE
files found in the WINDOWS SYSTEM directory and subdirectories. The viral
code is encrypted, polymorphic, and uses anti-debugging techniques to make
it difficult detected. Email addresses have been seen encrypted in infected
files. These addresses are believed to represent other users that have also
been infected from the same point of origin.

In the decrypted body of the virus code, the following comments exist:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler.
written in Malmo (Sweden)

W32/Magistr@MM has a payload routine that on some systems may result in
cmos/bios info being erased as well as destroying sectors on the hard disk.

The virus has a medium risk factor according to McAfee Avert Research

Other aliases for this worm are:
I-Worm.Magistr (CA)  
Magistr (F-Secure)  
PE_MAGISTR.A (Trend)  
W32.Magistr.24876@mm (Symantec)  
W32/Disemboweler (Panda)  
W32/Magistr-a (Sophos)  

Use specified engine and DAT files for detection and removal.

According to a report on, the creator of the tool that generated
the "Anna Kournikova" virus last month has released an updated version of
his worm-generating software.

The new tool is believed to have the potential to create worms that are much
more malicious and harder to track than those that have come before.


MaryAnn F. Kohl