You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Magistr.B
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Magistr.B infects all PE files (Portable Executable) with an EXE or SCR extensions that are stored on the hard drives of the affected computer or on the disk drives that can be accessed through a computer network.

However, Magistr.B does not infect EXE and SCR files if their name starts with GRPC.

The effects of Magistr.B are:

In 95% of cases it renders files unusable by inserting the text YOUARESHIT inside them.
This happens in the hard drives of the affected computer, in the mapped network drives, or in those that Magistr.B can map.

In the remaining 5% of cases, it deletes the files it finds instead of overwriting them.

It destroys files with a NTZ extension.
It closes the window of the firewall program called ZoneAlarm, if it is installed on the affected computer.
It moves the Desktop icons in the same direction as the mouse pointer is moved.
It inserts code in the files NTLDR and WIN.COM . Then, when executables are run, Magistr.B overwrites sectors of the main hard drive.
It deletes sectors of the hard drives in Windows Me/98/95 computers. Then, Magistr.B waits 0.9 seconds and enters a loop in order to overwrite the files again.

Infection strategy

Magistr.B is a polymorphic virus and, therefore, uses a different infection routine each time. Its generic infection routine is:

It encrypts the files that it infects using the name of the computer that it is attacking. Magistr.B uses a XOR operation in order to encrypt files and blocks them. This means that they cannot be used.
The files that are infected in a computer will not work correctly in other computers.
It looks for the WIN.INI and SYSTEM.INI files in order to modify them. By modifying this files, Magistr.B ensures that it is run whenever Windows is started.
Magistr.B looks for these files in the following directories: WINNT, WINDOWS, WIN95, WIN98, WINME, WIN2000, WIN2K and WINXP.
When an infected file is run, Magistr.B checks if Windows Explorer is running. It does this by looking for the program EXPLORER.EXE in the computer's memory (using the function TranslateMessage).
It protects itself, in order to avoid being detected and analyzed.
In order to do this, it uses anti-debug techniques, which allow it to detect if it is being traced or if a program that performs this operation (for example, Softice) is installed.

Means of transmission

Magistr.B mainly uses e-mail to spread and carry out its infection. It reaches the computer in an e-mail message with variable characteristics, making it difficult to recognize.

The message will consist of text that Magistr.B has selected at random from a file in the affected computer.

Magistr.B sends infected messages to the contacts in the Address Book and message databases (files with a DBX or MBX extension) in the mail programs Outlook Express and Eudora.

The infected message includes a file with a PIF, COM, BAT or EXE extension. It may also include a file with one of the following extensions: DOC, TXT, INI or GIF.

Resources for Partners