Magistr: A Recipe Of Blending Virus and Worm with Some Multilevel Polymorphism Flavour

13 Mar 2001
Virus News

Cambridge, United Kingdom, March 14, 2001 - Kaspersky Lab, an international data-security software-development company, warns computer users about the discovery of a new extremely dangerous computer virus "Magistr," which spreads via e-mail and local area networks, and uses a set of nifty techniques to hide its presence in infected computers that makes it very difficult to detect and disinfect. According to the comments found in the virus body, it was written in Malmo, Sweden by a hacker going by the pseudonym of "The Judges Disemboweler." Kaspersky Lab has already received several reports about the worm "in-the-wild."

"Magistr" can enter a computer three ways: firstly, via e-mail messages when a user has accidentally launched the infected attached file; secondly, using the local area network (LAN) by infecting files found on available servers' and workstations' shared resources; thirdly, when an infected file has been delivered to a system by any removable storage media or downloaded from the Internet or other networks.

Right after the infected file is executed, the virus initiates the procedure of penetration into the system, mass e-mail distribution and, after some time, it activates the built-in destructive payload.

To complete the mass e-mail distribution, "Magistr" scans the Outlook Express, Internet Mail and Netscape Messenger mail databases and Windows address book, and reads all e-mail addresses. Details about the mail databases location and their names are stored in a special file having the DAT extension. The name of the file is derived by encrypting the original computer's name. For instance, if a computer has a name CS-GOAT, then the file will be named WG-SKYF.DAT. Depending on the first character of the filename, the virus copies this file in the C: drive root directory or the "Windows" or "Program Files" directory.

After this, "Magistr" invisibly retrieves the SMTP server that is connected to the infected computer, and, on behalf of the user, sends out e-mail messages through the server containing random PE EXE or SCR files less than 132Kb in size that are already infected with the virus. The subjects of the messages are randomly selected from DOC and TXT files found on the computer or from the list of some English, Spanish and French phrases planted in the virus body. The body of the messages contains random text taken from random files found on the disk. Such inconstancy of outward appearance of the distributed e-mails significantly complicates the identification of infected e-mails by users themselves.

With a 20% probability, "Magistr" also attaches a random DOC or TXT file found in the system while the virus was scanning for the Subject and MessageBody texts. As a result, a randomly selected DOC or TXT file may be released causing confidential info disclosure.

It is important to note that when sending out infected e-mails, "Magistr" randomly changes the sender's return address by deleting or changing some characters. This fact also helps the virus hide its activity, since the recipient cannot answer the message because of an incorrect return address. Thus, the sender is not able to ascertain that the virus is sending out unauthorized messages from his or her computer.

Right after the virus code is executed, "Magistr" infects all PE EXE and SCR files found in "Windows," "WinNT," "Win95" and "Win98" catalogues of all local and network drives connected to this particular computer. After this, the virus scans all available network resources, looks for the aforementioned catalogues, and infects PE EXE and SCR files there. When infecting the files, "Magistr" uses several very sophisticated techniques that significantly complicate its detection and removal. The virus is divided into three parts with two of them encrypted with a strong polymorphic algorithm, so the infected file appears in the following way:

Therefore, after the infected file is run, the virus immediately intercepts its execution in the program's entry point, and redirects the program's processor to the main virus code. Only after the main virus code has been completed does the virus return control to the original program.

In order to secure its constant presence in the infected systems, "Magistr" modifies the WIN.INI configuration file and Windows system registry in a way that the virus is activated each time the system boots up. When infecting network resources, the virus modifies the WIN.INI file only.

"Magistr" carries a very dangerous destructive payload. One month after the day of the first infection, the virus destroys all files on local and network drives on computers running Windows NT/2000 by replacing their original contents with the string "YOUARESHIT". Under Windows 95/98, the virus additionally discards the CMOS memory settings (CMOS contains the computer boot up hardware settings) and, just like the "Chernobyl" (CIH) virus, destroys data in FLASH BIOS microchip. After this, it displays the following message box:

Another haughty bloodsucker.......

Depending on the internal triggers, the virus also executes yet another payload subroutine that invokes the "runaway icons" effect: if a user tries to point the cursor to a desktop icon, the icon immediately changes its location so the user cannot start the correspondent application:

"In this particular case, we are dealing with a very complex and technologically advanced computer virus, which is powered by all the most effective ways of spreading, infection, masquerading and has a very dangerous payload," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "As a matter of fact, 'Magistr' is a result of the successful crossing of the outstanding spreading speed of the 'ILOVEYOU' virus and 'Chernobyl's' extreme destructiveness."

Taking into account the danger and breath-taking spreading of the "Magistr" virus, Kaspersky Lab recommend its users update the Kaspersky Anti-Virus anti-virus database as soon as possible. Protection against the virus has already been added to the program's daily update.

Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers.