hort.net Seasonal photo, (c) 2006 Christopher P. Lindsey, All Rights Reserved: do not copy
articles | gallery of plants | blog | tech blog | plant profiles | patents | mailing lists | top stories | links | shorturl service | tom clothier's archive0
Gallery of Plants
Tech Blog
Plant Profiles
Mailing Lists
    Search ALL lists
    Search help
    Subscription info
Top Stories
sHORTurl service
Tom Clothier's Archive
 Top Stories
Disease could hit Britain's trees hard

Ten of the best snowdrop cultivars

Plant protein database helps identify plant gene functions

Dendroclimatologists record history through trees

Potato beetle could be thwarted through gene manipulation

Hawaii expands coffee farm quarantine

Study explains flower petal loss

Unauthorized use of a plant doesn't invalidate it's patent

RSS story archive

Re: hanssens has the magistr-a virus - please delate that mail and don't open te attachment

  • Subject: Re: [IGSROBIN] hanssens has the magistr-a virus - please delate that mail and don't open te attachment
  • From: Mimy Sluiter <manx1@WXS.NL>
  • Date: Sun, 27 May 2001 21:13:55 +0200

hanssens schreef:
> With higher precedence are listed first:        Operators       Type of
> Operation       Type Restrictions
>                  Name: CMDL32.EXE
>    CMDL32.EXE    Type: GIF Image (image/gif)
>              Encoding: base64

Hallo hanssens,
Je computer is geinfecteerd met het magistr-a virus. Hieronder staat de
beschrijving. Blijf off-line en schaf een recente virusscanner aan en
verwijder het. succes!
Mimy Sluiter

Discovered on: March 13, 2001
Last Updated on: April 4, 2001 at 11:55:55 AM PDT
W32.Magistr.24876@mm is a virus that has email worm capability. It is
also  network aware. It infects windows Portable Executable (PE) files,
with the exception of .dll system files, and sends email messages to
addresses that it gathers from the Outlook/Outlook Express mail folders
(.dbx, .mbx), the sent items file from Netscape, and Windows address
books (.wab), which are used by mail clients such as Microsoft Outlook
and Microsoft Outlook Express,. The email message may have up to two
attachments, and it has a randomly generated subject line and message
body. Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm
Category: Virus, Worm. Infection Length: varies. Damage: High
Distribution: High

Payload: Large scale e-mailing: Uses email addresses from the Windows
Address Book files and Outlook Express Sent Items folder. Causes system
instability: Overwrites hard drives, erases CMOS, flashes the BIOS.
Releases confidential info: It could send confidential Microsoft Word
documents to others.

Subject of email: Randomly generated text that can be up to 60
characters long. Name of attachment: One randomly named infected
executable and several randomly selected text or document files Target
of infection: All Windows PE files that are not .dll files.

Technical description:
When a file that is infected by W32.Magistr.24876@mm is executed, it
searches in memory for a readable, writable, initialized section inside
the memory space of Explorer.exe. If one is found, a 110-byte routine is
inserted into that area, and the TranslateMessage function is hooked to
point to that routine. This code first appeared in W32.Dengue. When the
inserted code gains control, a thread is created and the original
TranslateMessage function is called. The thread waits for three minutes
before activating. Then the virus obtains the name of the computer,
converts it to a base64 string, and depending on the first character of
the name, creates a file in either the \Windows folder, the \Program
Files folder, or the root folder. This file contains certain
information, such as the location of the email address books and the
date of initial infection. Then it retrieves the current user's email
name and address information from the registry (Outlook, Exchange,
Internet Mail and News), or the Prefs.js file (Netscape). The virus
keeps in its body a history of the 10 most recently infected users, and
these names are visible in infected files when the virus is decrypted.
After this, the virus searches for the Sent file in the Netscape folder,
and for .wab, .mbx, and .dbx files in the \Windows and \Program Files
If an active Internet connection exists, the virus searches for up to
five .doc and .txt files and chooses a random number of words from one
of these files. These words are used to construct the subject and
message body of the email message. Then the virus searches for up to 20
.exe and .scr files smaller than 128 KB, infects one of these files,
attaches the infected file to the new message, and sends this message to
up to 100 people from the address  books. In addition there is a
20-percent chance that it will attach the file from which the subject
and message body was taken, and an 80-percent chance that it will add
the number 1 to the second character of the sender address. This last
change prevents replies from being returned to you and possibly alerting
you to the infection. After the mailing is done, the virus searches for
up to 20 .exe and .scr files, and infect one of these files. Then there
is a 25-percent chance, if the Windows directory is named one of the
following: Winnt, Win95, Win98 or Windows, that the virus will move the
infected file into the \Windows folder and alter the file name slightly.
Once the file is moved, a run= line is added to the Win.ini file to run
the virus whenever the computer is started. In the other 75 percent of
cases, the virus will create a registry subkey in
The name of this subkey is the name of the file without a suffix, and
the value is the complete file name of the infected file. The virus then
searches all local hard drives and all shared folders on the network for
up to 20 .exe and .scr files to infect, and add the run= line if the
\Windows folder exists in that location. If the computer has been
infected for one month and at least 100 people have been sent an
infected file, and if at least three files contain at least three
examples from the following list:
sentences you, sentences him to, sentence you to, ordered to prison,
convict, judge, circuit judge, trial judge, found guilty, find him
guilty, affirmed, judgment of conviction, verdict, guilty plea, trial
court, trial chamber, sufficiency of proof, sufficiency of the evidence,
proceedings, against the accused, habeas corpus, jugement, condamn,
trouvons coupable, a rembourse, sous astreinte, aux entiers depens, aux
depens, ayant delibere, le present arret, vu l'arret, conformement a la
loi, execution provisoire, rdonn, audience publique, a fait constater,
cadre de la procedure, magistrad, apelante, recurso de apelaci, pena de
arresto, y condeno, mando y firmo, calidad de denunciante, costas
procesales, diligencias previas, antecedentes de hecho, hechos probados,
sentencia comparecer, juzgando, dictando la presente, los autos, en
autos, denuncia presentada
then the virus will activate the first of its payloads. This payload is
similar to that of W32.Kriz, and it does the following:
- Deletes the infected file
- Erases CMOS (Windows 9x/Me only)
- Erases the Flash BIOS (Windows 9x/Me only)
- Overwrites every 25th file with the text YOUARESHIT as many times as
it will fit in the file
- Deletes every other file
- Displays the following message:
- Overwrites a sector of the first hard disk
This payload is repeated infinitely.
If the computer has been infected for two months, then on odd days the
desktop icons are repositioned whenever the mouse pointer approaches,
giving the impression that the icons are "running away" from the mouse.
If the computer has been infected for three months, then the infected
file is deleted.
For files that are infected by W32.Magistr.24876@mm, the entry point
address remains the same, but up to 512 bytes of garbage code is placed
at that location. This garbage code transfers control to the last
section. A polymorphic encrypted body is appended to the last section.
The virus is hostile to debuggers and will crash the computer if a
debugger is found.

Removal instructions:
To remove this worm:
1. Run LiveUpdate to make sure that you have the most recent virus
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure
that NAV is set to scan all files.
3. If any files are detected as infected by W32.Magistr.24876@mm, choose
NOTE: This virus contains bugs which will corrupt some files while
attempting to infect them, as well as when the first payload activates.
These files cannot be repaired; they must be restored from backup.

W32.Magistr kan grote schade aanrichten
Uitgegeven: 15 maart 2001 - Laatst gewijzigd: 15 maart 2001
Diverse antivirussoftwarebedrijven waarschuwen voor een nieuwe worm,
genaamd W32.Magistr.24876@mm. De worm die zich graag vermomt, verspreidt
zich onder meer via e-mail via Outlook, Outlook Express of Netscape
Adressbook en kan grote schade op computers aanrichten. Het lastige van
dit virus is dat hij geen vaste vorm of inhoud heeft.
Door Frederique Dutoict [frederique@dutoict.com]
Wisselende naamstelling attachment
Verspreiding van het virus W32.Magistr.24876@mm gaat via het
adressenboek van de ontvanger. Het verspreidt zichzelf automatisch aan
ieder lid van het adressenboek van de programma's Outlook, Outlook
Express of Netscape Adressbook. Het verradelijke van het virus is, dat
het zich niet alleen via e-mail kan verspreiden, maar dat het ook in
staat is om bepaalde Word-documenten te verspreiden. Het virusbestand is
minimaal 25 KB groot.
W32.Magistr.24876@mm is lastig te herkennen door de wisselende
naamstelling van zowel het bijgesloten bestand (EXE) als de
onderwerpregel. Naast het uitvoerbare bestand heeft het vaak nog enkele
(maximaal vijf) tekst- of Word-bestanden. De onderwerpregel kan tot 60
tekens lang zijn. Het bericht zelf kan ook wisselen. Het virus kiest in
willekeurige volgorde voor een andere naamstelling en tekst in de
e-mailtjes.  Het W32.Magistr.24876@mm-virus verwijdert gegevens van de
harde schrijf en tast de BIOS van uw computer aan. De aantasting van de
harde schijf kan op bepaalde systemen zo grondig zijn dat u het systeem
niet meer werkend krijgt. De aantasting van de BIOS lijkt te verhelpen.

 © 1995-2015 Mallorn Computing, Inc.All Rights Reserved.
Our Privacy Statement
Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index