RootsWeb: NCDUPLIN-L [NCDUPLIN] Virus from list member?

NCDUPLIN-L Archives

Archiver > NCDUPLIN > 2001-11 > 1004656645

From: "Judy" <>
Subject: [NCDUPLIN] Virus from list member?
Date: Thu, 01 Nov 2001 17:17:25 -0600

Hello list members: I received an email with an attachment named FTOINST.EXE from some one I don't know but think I've seen on this mailing list. This file IS a virus. I have two virus protection programs running on my computer and Norton Anti-Virus, even with up to date virus signature files did NOT detect it. Fortunately, the other program I have did. If you get an email with this attachment, please DON'T DOUBLE CLICK IT or open it. This is what the body of my email looks like in the Netscape Messenger: [Image] Notice that the file extension is .EXE yet the type of file that is listed says it is a GIF Image. My anti-virus program stated that the above file is infected with Win32.magistr.24876 virus. So I went to the web and looked up the virus which I posted a description of below. Please be careful!! Judy Win32.Magistr.24876 (also known as W32/Magistr@MM, PE_MAGISTR.A, W32.Magistr.24876 and I-Worm.Magistr) Magistr is a polymorphic binary virus/worm targeting Windows 9x/ME/2K systems and has been reported from the field. When run, this virus will make a copy of an EXE or SCR file in the system directory, give it a slightly different name and infect the copy. The virus then adds a reference to this infected file to the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ For example, under test conditions the virus copied "CFGWIZ32.EXE" to "CFGWIZ31.EXE" and added the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CFGWIZ31="C:\WINDOWS\SYST EM\CFGWZ31.EXE" It may also add the filename to the "run=" line in WIN.INI. On the next reboot, the infected copy will infect other .EXE and .SCR files in the System directory and its subdirectories. The virus searches for e-mail addresses in Outlook Express and Netscape mailboxes, as well as the Windows address book (.WAB) files. It stores information about the location of these mailboxes in a hidden file in the Windows directory with the extension ".dat". The rest of the filename is randomly generated based on the computer name. Using its own SMTP code (by connecting to the mailserver directly), the virus then sends an e-mail message to all of the addresses it has found. The subject and body of the e-mail are taken from files on the infected machine's hard drive, and therefore may be any collection of ASCII characters. An infected file is attached to the e-mail. Besides using SMTP to spread, Magistr also tries to connect to shares in the network neighborhood. If it can connect to a network drive, it will try to copy itself to the following directories and add a "run=" line to the WIN.INI file on the remote machine to infect it on the next startup: WIN95 WIN98 WINDOWS WINNT The virus code contains a procedure to overwrite files on the hard drive as well as the CMOS data and Flash BIOS code. Whilst the CMOS data is recoverable, the loss of the Flash BIOS code could potentially render a computer unbootable.

This thread:

[NCDUPLIN] Virus from list member? by "Judy" <>