The Return of "Magistr"

04 Sep 2001
Virus News

A new variant of the Magistr virus has been detected

Kaspersky Lab, an international data-security software developer, warns users about the detection of the new variant of the dangerous "Magistr" virus. Kaspersky Lab has already received several reports regarding infection in Spain by this malicious program.

"'Magistr.b,' utilizes a substantially reworked encoding algorithm of the virus' code. Because of this, none of the known anti-virus scanners are able to recognize this new virus variant even with the heuristic code analyzer switched on," commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab.

Kaspersky Lab has effectively and efficiently reacted to the appearance of this new threat, releasing the corresponding Kaspersky® Anti-Virus database update containing defense procedures thwarting "Magistr.b" at midnight on September 4 (i.e., last night).

This variant is characterized by exclusively dangerous side effects, and also noticeably reworked virus spreading procedures via the local network and e-mail.

In addition to destroying all files on the local and network disks, corrupting data stored in the CMOS memory (the computer hardware boot-up parameters) and FLASH BIOS microchip, "Magistr.b" overwrites the OS-loaders WIN.COM and NTLDR in such a way that under certain conditions upon the next computer start-up, all data on the local and network disks are deleted. While searching for target files to be infected, the virus also destroys files with the .NTZ extension. Also, if "Magistr.b" detects the active copy of "ZoneAlarm" personal firewall software running it automatically disables it.

In order to obtain e-mail addresses for the further spreading, "Magistr.b" scans the databases of Eudora, Outlook Express, Netscape Messenger, Internet Mail e-mail clients and the Windows address book. The virus, as an addition to .DOC and .TXT file formats, is able to attach .GIF files as well. In addition, a wide search is conducted for accessible network resources where "Magistr.b" will try to plant its copies. The virus searches the following folders: "WINNT", "WINDOWS", "WIN95", "WIN98", "WINME", "WIN2000", "WIN2K", and "WINXP." In this way, the virus is able to more effectively spread and noticeably improve its rate of "success" in penetrating victim computers.

"Today, 'Magistr's' first variant firmly holds a high position in the list of the most widespread malicious code, second only to the 'SirCam' Internet worm. Don't be in doubt that the latest 'Magistr' modification has the potential for being as wide spread as the original. This could lead to another global epidemic," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab.

As previously noted by Kaspersky Lab, 'Magistr' belongs to the category of viruses known as "sleepers." This virus type does not reveal itself until the moment the virus' payload activation arrives. The original 'Magistr' confirmed the Kaspersky Lab' prediction and within a month of detection, "Magistr" placed first in virus-activity ratings.

"Why wait for a catastrophe? Kaspersky Lab continuously recommends that users remain on the ball by having the latest Kaspersky Lab update installed, reliably protecting their computers from these virus threats," added Mr. Zenkin.

A more detailed description of the "Magistr" virus can be found in the Kaspersky Virus Encyclopedia.