Magistr, occasionally called Disemboweler, is a dangerous email worm that runs on Windows 9x as well as Windows NT. It spreads to other computers through email as well as infects files. In addition, Magistr has a very dangerous payload that deletes files, and destroys the BIOS chip. It is comparable to some other potentially very dangerous viruses, such as CIH, MyPics, and Kriz. It also shares some features of the Dengue virus. Magistr, due to its massive size and variety of payloads, is one of the most complex viruses ever created.
When a file infected with Magistr is executed, it tries to load itself into memory by patching the Explorer.exe process with a 110-byte routine that loads the rest of the virus into Explorer's memory. The TranslateMessage function is hooked to point to that code. It operates in memory as a thread of the Explorer process. After completing this part of the infection, the worm sleeps for three minutes.
Magistr then finds the name of the infected computer and converts it to a base 64 string. Depending on the first letter of this string, it creates a file in the windows folder the program files folder or the root of the hard drive. This file will contain information that includes the location of the addressbooks and the date of infection.
It obtains the current user's email address. It checks the registry for Outlook, Exchange, Internet Mail, and News then the Prefs.js file for Netscape. It adds this to a list of the ten most recent email addresses it has infected.
Magistr checks for an active Internet connection and if there is one, begins constructing an email to send an infected file. It searches the system for .doc and .txt files and will use random text from one of these to construct the sender line and body of the email it will send itself in. There is a 20% chance that Magistr will attach the file it chooses to the email. Some reports say it can send up to six files. It searches for up to 20 .exe and .scr files smaller than 128 kilobytes and infects one of them. The infected file will be attached to the email.
After the mail has been sent, Magistr searches for 20 .exe and .scr files on the local system and over the network and infects one of them. If the Windows folder is named Winnt, Win95, Win98 or Windows, there is a 25% chance it will move the infected file into that folder and make a small change to the filename, and add a "run=" line (this is the old equivalent to the Run registry keys) to the Win.ini file with the name and path of the infected file added to it. In all other cases, it adds the file name of the infected file (without extension) as a subkey to the local machine run key and the full name and path of the file to this subkey.
At the entry point of the infected file, there will be 512 bytes of garbage code that transfers control of the program to the virus. Magistr encrypts its main code with polymorphic engine and appends itself to the file. An infected file will not run after being infected, so the user will not notice from a program randomly starting every time the computer starts.
- Another haughty bloodsucker.......
- YOU THINK YOU ARE GOD,BUT YOU ARE ONLY A CHUNK OF SH*T.
Note the above message is uncensored.
After the computer has been infected for a month, 100 emails have been sent with the virus and three files on the system are found to contain text related to criminal trials, Magistr activates its payload. It deletes every infected files. It overwrites every 25th text file it finds on the system with "YOUARESH*T" (uncensored) as many times as will fit in each file. This corrupts infected files.
Magistr's payload can also render a system inoperable. It deletes every other file on the system. It will pop up the above vulgar message. If OK is pressed and the system is Windows 9x, the virus overwrites a sector of the first hard disk on an infinite loop, causing the computer to crash. On Windows NT, nothing happens after OK is pressed. On Windows 9x, it will then erase the CMOS and if possible, the BIOS. This can make the computer unbootable, sharing behaviors from CIH, CMOSDead, Kriz, FlashKiller, Mypics, AntiCMOS, and Bumerang, yet many others also. If the computer still survives the CMOS or BIOS attack, the startup files are still deleted or overwritten, meaning that the system won't boot anymore and re-installation is needed.
If the virus has been on the system two months (and assuming the system still works), on odd days, it will reposition desktop icons when the mouse hovers over them, making it appear as if they are running away, similar to Shoerec's first payload.
If the system has been infected for three months and still works, the infected file run is deleted, alongside most others, but does not display a message nor destroys the BIOS or CMOS. This would lead to the computer failing to boot due to the deletion of startup files.
If a debugger is found on the system at any time and the debugger is run, Magistr will cause a General Protection Fault and causes either the application or computer to crash.
There is at least one known variant. When infecting over a network, Magistr.B registers itself in WIN.INI and SYSTEM.INI files on the target system. In WIN.INI, it registers itself in "Run=" in the Windows section. In SYSTEM.INI, it registers itself in "Shell=" in the boot section. When infecting a file, this variant encrypts itself with a key that uses the computer's name as a variable, making disinfection of these file more difficult. It does not encrypt files smaller than 131 kilobytes or files infected on a remote computer.
In addition to the other names for the Windows folder, Magistr.B checks for new names, including WINME, WIN2000, WIN2K and WINXP, common names that is used if the user runs this variant on Windows 2000, ME, or XP. Like the original, it can send a .doc file along with the copy of itself, but it can also attach a .gif image file to its email.
This variant's payload adds the ability to destroy .ntz files used by some antivirus programs. Magistr.B also attempts to disable the ZoneAlarm firewall. It fails at this and it is unknown if this failure is corrected in a subsequent variant. The variant also overwrites Win.com in the Windows folder and NTLDR in the root of drive C: with code that overwrites the hard drive when the system starts.
Magistr is often used as an example of why very destructive viruses and worms do not spread very far. In addition, the virus gives so many warning signs that the user knows something is wrong before it can do real damage. One security expert claimed he only saw one incident where the virus managed to do all of the things it was intended to do and attributed this to the fact that there were so many annoyances.
Magistr was coded in Assembly though its size of near 30 kilobytes makes it large for something written in Assembly. Its coder is The Judges Disembowler, based in Sweden. It is unknown if this is a person or a group. They have not released anything with any notable impact since. Because of the sophistication of this virus, particularly its payload, s/he/they are believed to have relatively advanced knowledge of computers.
Peter Ferrie. Symantec, W32.Magistr.24876@mm. 2007.02.13
Tom Mainelli. PCWorld, Magistr Worm Emerges, Scarce But Deadly. 2001.03.16
Andrew Grygus. Automation Access, Microsoft Hides Behind Linux - as Worms Eat Windows, Why It's Going to Get a Lot Worse. 2003.08.23-09.10
Kaspersky Lab, Magistr: A Recipe Of Blending Virus and Worm with Some Multilevel Polymorphism Flavour. 2001.03.14