This file contains additional information, probably added from the digital camera or scanner used to create or digitize it.
If the file has been modified from its original state, some details may not fully reflect the modified file.
June 23, 2015
When you combine something proliferating as ILOVEYOU and something destructive as CIH, this is the result.
If you are in a hurry, here are some parts you can skip to:
14:45 Icons running away from the cursor payload
16:00, 27:50 What mail sent by the worm looks like
23:06 Very destructive payload
26:05 What some overwritten files look like and a restart
30:45 "Copyright message" inside the decrypted virus
Turn down your volume at 19:08, 21:45, and 27:14 as the PC beeps can be loud
Bugs in Magistr
When Magistr imports the function it needs, it will walk through an astonishing number of functions (3,000,000,000 functions compared to the 700 exported by KERNEL32.DLL). This is because it compares the address of the NumberOfNames entry in the export table (which is that very large number) to the number of functions it has thus far encountered. This does not seem to have cause a problem because Magistr does find the functions it needs.
String comparison functions will return a match even if the last character is different.
The polymorphic generator may generate code that does not return to the host properly.
Changes from the original sample
Instead of comparing 100 contacts to activate payloads, this sample will compare 12.
When the virus encounters a sleep function, it will sleep for 1 second.
The virus will use the HELO SMTP command with HELO [network name] not HELO [SMTP server] because Mercury does not accept it.
Magistr becomes resident by running a thread under explorer.exe's process. The worm gets the user's e-mail info as well as contacts stored in .DBX and .WAB files. If that succeeds, then the thread will always run (infinite loop) unless explorer.exe is terminated. After that the worm will test for internet connection and then send mail to 4 recipients at a time. It composes the subject and body from random .DOC/.TXT files stored on the user's drive. It will also attach an infected file and with a 20% chance will attach the .DOC/.TXT file from where the virus composed the subject/body. When finished, Magistr will find up to 20 files to infect and adds itself 80% of the time to the RUN key. It will also infect shared networked resources with full access. Finally the worm tests for payloads. If the worm sends mail to more than 100 recipients and a month has passed and 3 matches from a list of 55 phrases in a file for 3 files are found, the virus will delete files, overwrite others with "YOUARESHIT", and flash the BIOS only under Win9x. If the worm sends mail to more than 100 recipients and two months have passed, then on odd days icons will be running away from the cursor. After three months, regardless of the amount of recipients the worm sent mail to, the worm will delete files found by its search routines.