Discovered: March 13, 2001
Updated: February 13, 2007 11:36:05 AM
Also Known As: W32.Magistr.24876.int, W32.Magistr.24876.corrupt, I-Worm.Magistr.a [KAV], PE_MAGISTR.A [Trend], W32/Disemboweler [Panda], W32/Magistr-A [Sophos], W32/Magistr.a@MM [McAfee], Win32.Magistr.24876 [CA]
Type: Worm, Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Removal using the W32.Magistr Worm Removal Tool
Symantec Security Response has created a
tool to remove W32.Magistr.24876@mm, which is the easiest way to remove this threat.
Manual Removal
To remove this worm, repair the files detected as W32.Magistr.24876@mm, and reverse the changes it made to the Windows registry or the Win.ini file.
NOTE: This worm attempts to erase CMOS and to flash the BIOS on Windows 95/98/Me-based computers. In most cases, this action is not successful. However, if the worm succeeds to perform this action, the computer will not properly start. In this case, contact the computer manufacturer for instructions on how to fix this.
Removing the worm
- Run LiveUpdate to make sure that you have the most recent virus definitions.
- Start Norton AntiVirus (NAV), and make sure that it is configured to scan all the files. For instructions on how to do this, read the document, "How to configure Norton AntiVirus to scan all files."
- Run a full system scan.
- If any files are detected as infected by W32.Magistr.24876@mm, write down the filenames, and then click Repair. Delete the files that cannot be repaired.
Editing the registry
There is a 75% chance that the worm has added a value to the registry. Follow the instructions in this section first. If you do not find a value that the worm added, proceed to the next section.
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Make sure to modify the specified keys only. See the document, "
How to back up the Windows registry," before proceeding.
- Click Start, and then click Run. (The Run dialog box appears.)
- Type regedit,,and then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
- In the right pane, delete the value that refers to a file that was detected as infected by W32.Magistr.24876@mm.
Editing the Win.ini file
- Click Start, and then click Run.
- Type the following:
edit c:\windows\win.ini
and then click OK. (The MS-DOS Editor opens.)
NOTE: If Windows is installed in a different location, make the appropriate path substitution.
- In the [windows] section of the file, look for the line that begins with: run=
- To the right of the equal (=) sign, look for the text that refers to a file detected as infected by W32.Magistr.24876@mm.
- Delete this text.
- Click File, and then click Save.
- Exit the MS-DOS Editor.
NOTE: This virus contains bugs that will corrupt some files while attempting to infect them, as well as when the first payload activates. These files cannot be repaired, therefore, restore them from a backup. (These files may be detected as W32.Magistr.corrupt.)
Writeup By: Peter Ferrie
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine