Virus Alert! W32.Magistr.39921@mm spreading like wildfire! (updated 9/6/01)
This question was answered on September 7, 2001. Much of the information contained herein may have changed since posting.
According to the Symantec Anti-Virus Research Center (SARC) the W32.Magistr.39921@mm virus/worm is in heavy distribution The virus/worm changes its appearance in many ways which is most likely the cause of the rapid spread.
This mass mailing worm auto-sends itself from infected systems with randomly generated 'Subject:' lines of up to 60 characters and attaches a randomly named infected file with the *.exe extension and several randomly selected *.txt or *.doc files.
The difference between this version of the worm and previous versions is that it is:
- Aware of Eudora address books (listed in eudora.ini.)
- Deletes *.NTZ while searching for files.
- Terminates ZoneAlarm before connecting to the internet.
- Adds entry in the Shell=explorer.exe entry in the Boot section of system.ini calling the W32.Magistr.Trojan.
- Searches for more "Windows" directories (WINNT, WINDOWS, WIN95, WIN98, WINME, WIN2000, WIN2K, WINXP.)
- Mail attachment has a random extension (exe, bat, pif, com.)
- Occasionally attaches .gifs to emails.
- W32.Magistr.Trojan payload overwrites ntldr and win.com on all drives with code to store garbage in the first sector of the first IDE hard disk.
Be on the watch for messages that have multiple file attachments and strange subject lines, most likely from people that you know.
The current versions from all the major anti-virus companies will detect and clean this virus, so be sure to update your program!
About the author
Posted by Ken Colburn of Data Doctors on September 7, 2001