W32.Magistr.24876@mm

When a file that W32.Magistr.24876@mm infected is executed, the virus searches in memory for a readable, writable, and initialized area inside the memory space of Explorer.exe. If the virus finds one, a 110-byte routine is inserted into that area and the TranslateMessage function is hooked to point to that routine. This code first appeared in W32.Dengue.

When the inserted code gains control:

1. A thread is created and the original TranslateMessage function is called. The thread waits for three minutes before activating.
   
   
2. Then the virus obtains the name of the computer, converts it to a base64 string, and depending on the first character of the name, creates a file in either the \Windows folder, the \Program Files folder, or the root folder. This file contains certain information, such as the location of the email address books and the date of initial infection.
   
   
3. The virus retrieves the current user's email name and address from the registry (for Outlook, Exchange, and Internet Mail, and News), or the Prefs.js file (for Netscape). The virus keeps in its body a history of the 10 most recently infected users, and these names are visible in the infected files when the virus is decrypted. Next, the virus searches for the Sent file in the Netscape folder, and for the .wab, .mbx, and .dbx files in the \Windows and \Program Files folders.
   
   
4. If an active Internet connection exists, the virus searches for up to five .doc and .txt files and chooses a random number of words from one of these files. These words are used to construct the subject and message body of the email message.
   
   
5. Then the virus searches for up to 20 .exe and .scr files smaller than 128 KB, infects one of these files, attaches the infected file to the new message, and sends this message to up to 100 people from the address books. Also, there is a 20% chance that it will attach the file from which the subject and message body was taken, and an 80% chance that it will add the number one (1) to the second character of the sender's address. This last change prevents replies from being returned to you, and possibly alerts you to the infection.
   
   
6. After the mailing is complete, the virus searches for up to 20 .exe and .scr files and infects one of these files. Then, if the Windows directory is named one of the following:
   • Winnt
   • Win95
   • Win98
   • Windows
     

there is a 25% chance that the virus will move the infected file into the \Windows folder and slightly alter the filename. Once the file is moved, a run= line is added to the Win.ini file to run the virus when the computer is started. In the other 75% of the cases, the virus creates a registry subkey in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The name of this subkey is the name of the file without a suffix, and the value is the complete filename of the infected file. Then, the virus searches all the local hard drives and all the shared folders on the network to infect up to 20 .exe and .scr files. Then, it adds the run= line if the \Windows folder exists in that location.

The virus will activate the first of its payloads if the computer has been infected for one month and at least 100 people have been sent an infected file, and if at least three files contain at least three examples from the following list:

sentences you
sentences him to
sentence you to
ordered to prison
convict
, judge
circuit judge
trial judge
found guilty
find him guilty
affirmed
judgment of conviction
verdict
guilty plea
trial court
trial chamber
sufficiency of proof
sufficiency of the evidence
proceedings
against the accused
habeas corpus
jugement
condamn
trouvons coupable
a rembourse
sous astreinte
aux entiers depens
aux depens
ayant delibere
le present arret
vu l'arret
conformement a la loi
execution provisoire
rdonn
audience publique
a fait constater
cadre de la procedure
magistrad
apelante
recurso de apelaci
pena de arresto
y condeno
mando y firmo
calidad de denunciante
costas procesales
diligencias previas
antecedentes de hecho
hechos probados
sentencia
comparecer
juzgando
dictando la presente
los autos
en autos
denuncia presentada

This payload is similar to that of W32.Kriz, and it does the following:

• Deletes the infected file
• Erases CMOS (Windows 9x/Me only)
• Erases the Flash BIOS (Windows 9x/Me only)
• Overwrites every 25th file with the text YOUARESHIT as many times as it will fit in the file
• Deletes every other file
• Displays the following message:
  
  
  
  
  
  
• Overwrites a sector of the first hard disk

This payload is repeated infinitely.

If the computer has been infected for two months, then, on odd days, the desktop icons are repositioned when the mouse pointer approaches, giving the impression that the icons are "running away" from the mouse:





If the computer has been infected for three months, then the infected file is deleted.

For the files that W32.Magistr.24876@mm infects, the entry point address remains the same; however, up to 512 bytes of garbage code is placed at that location. This garbage code transfers control to the last section. A polymorphic-encrypted body is appended to the last section. The virus is hostile to debuggers and will crash the computer if a debugger is found.

NOTE: If a file is detected as W32.Magistr.corrupt, this indicates that the virus damaged the file, and thus cannot be repaired.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Summary