Effects
Magistr.B infects all PE files (Portable Executable) with an EXE or SCR extensions that are stored on the hard disk of the affected computer or on the disk drives that can be accessed through a computer network.
However, Magistr.B does not infect EXE and SCR files if their name starts with GRPC.
The effects of Magistr.B are:
This happens in the disk drives in the affected computer, in the mapped network drives, or in those that Magistr.B can map.
In the remaining 5% of cases, it deletes the files it finds instead of overwriting them.
-
It destroys files with a NTZ extension.
-
It closes the window of the Firewall program called ZoneAlarm, if it is installed on the affected computer. -
It moves the Desktop icons in the same direction as the mouse pointer is moved.
-
It inserts code in the \NTLDR and \WINDOWS\WIN.COM files. Then, when executables are run, Magistr.B overwrites sectors of the main disk drive.
- It deletes sectors of the hard disk in computers with Windows 98 or Windows 95 installed. Then, Magistr.B waits 0.9 seconds and enters a loop in order to overwrite the files again.
Infection strategy
Magistr.B is a polymorphic virus and, therefore, uses a different infection routine each time. Its generic infection routine is:
-
It encrypts the files that it infects using the name of the computer that it is attacking
Magistr.B uses a XOR operation in order to encrypt files and blocks them. This means that they cannot be used.
The files that are infected in a computer will not work correctly in other computers.
- It looks for the WIN.INI and SYSTEM.INI files in order to modify them and by doing this it ensures that it is activated when the computer is next started up.
- Magistr.B looks for these files in the following directories: WINNT, WINDOWS, WIN95, WIN98, WINME, WIN2000, WIN2K and WINXP.
- It modifies the SYSTEM.INI file to ensure that is run whenever the infected computer is started up.
- It does this by including the following line in the [boot] section of the file SYSTEM.INI: shell=explorer.exe.
- When an infected file is run, Magistr.B checks if Windows Explorer is running. It does this by looking for the program EXPLORER.EXE in the computer’s memory, (using the function TranslateMessage).
- It protects itself, in order to avoid being detected and analyzed.
- In order to do this, it uses anti-debug techniques, which allow it to detect if it is being traced or if a program that performs this operation (for example, Softice) is installed.
Means of transmission
Magistr.B mainly uses e-mail to spread and carry out its infection. The e-mail has variable characteristics, making it difficult to recognize.
The message text will consist of text that Magistr.B has selected at random from a file in the affected computer.
Magistr.B sends infected messages to the contacts in the Address Book and message databases (files with a DBX or MBX extension) in the mail programs Outlook Express and Eudora.
The infected message includes a file with a PIF, COM, BAT or EXE extension. It may also include a file with one of the following extensions: DOC, TXT, INI or GIF.