Magef
Magef
Type File virus
Creator
Date Discovered 18-OCT-2003
Place of Origin China
Source Language Assembly
Platform Microsoft Windows
Infection Length 4,180 bytes
Reported Costs

Magef also known as Mafeg, MFG, or Dupate is a memory-resident, file-appending virus that behaves like a worm attempting to spread itself through shared network resources. It also used a common vulnerability to give itself kernel-level privileges. It was common in China in the early and mid-2000s and had problems spreading elsewhere. The original and most variants delivered messages embarrassing to Microsoft, the Japanese, and some other targets.

Behavior

When executed, Magef copies itself as Dxupdate.exe to the System folder. It then adds the value "Dxupdate.exe = Dxupdate.exe" to the Local Machine RunOnce registry key. The virus becomes memory resident and infects all Portable Executables as they are executed. If the system is Windows NT, 2000, XP, or Server 2003, it will attempt to infect the C:\NTLDR file, which is responsible for loading the operating system, so the virus is able to jump from ring 3 to ring 0. It scans for shared folders on the local network and copies itself to the Startup folder of the remote system.

If it is a Saturday in any year after 2003, the Magef displays a message in Chinese.

As the worm uses hard-coded Chinese strings, it may have problems with many of its features on non-Chinese systems. Some antivirus software was able to detect the virus using heuristics before there was a specific detection for it. Magef does not propogate through the Internet or email, but may be sent accidentally if it finds itself on a P2P shared folder, web server, or accidentally gets sent in an email.

Variants

Magef.B

Magef.B weighs in at 4,768 bytes. It was discovered on 1 November of 2003. The file it drops in the system folder is named UnBlaster.exe. It does not correct the issues cause by a hard-coded Chinese string. In the drivers folder in the System folder, it creates the file miniwdm.sys, and starts it as a service. If the month of the system date is March, June, September, or December and the day of the week is Friday, Saturday, or Sunday it displays a message in Chinese.

Magef.png
The Magef Message

Translation:

Title: Declaration of the Technical Messenger of Mo National Defense
This messenger came to spread technology and has set up camp here. I am not harmful, don't worry!
To my idol Bill Gates: A few of your stupid subordinates underestimated my vulnerability report. You should hit their PP!

Magef.Hoker

This variant is 10,240 bytes long. It spreads through an the RPC DCOM vulnerability, but also contains many bugs that prevent it from spreading well. During the 4th week of May, it displays a dialog box with the title "Chinese Honker" ("红客" hong ke, the Chinese word for Hacker) and the message translating to "Diaoyu Island is Chinese territory, Japanese pirates and dogs are not allowed to enter! The Indonesian thugs who murdered the Chinese in 1998 will die without a place to bury them! Incorporating China's territory into the scope of "peripheral affairs" is abominable to Japan! Sending troops abroad in violation of the constitution, denying historical facts, beautifying wars of aggression, and paying homage to war criminals in the Yasukuni Shrine is shameless for Japan! Use the Diaoyu Islands to pull the United States to "co-defense" and provoke Sino-US conflicts. The Japanese nation is insidious! Puppy pure wolf, you big untrustworthy jackal, you say you are friendly and peaceful, but you paid homage to the war criminals who killed tens of millions of Asians several times, condoned the right-wing forces, pushed the military team to send troops abroad, and launched spy satellites (fortunately, your technology is not good, you just put a super firecracker to create space junk), I advise you not to meet Chinese hackers, otherwise you will be hit all over the place!"

If the user is using a Japanese system, then when the system date is August 15 (the day of Japanese surrender in World War II), the virus will release a "win.com" file in the system directory, and display the message "You can not continue, because your country—Japan Killed 40,000,000 peoples since 1894-1945!!!!!!".

Effects and origin

Mafeg was particularly virulent in China, where it may have originate. Its use of simplified characters inthe message as well as its hard coding strongly support this theory. The message also suggests that its purpose was to humiliate Microsoft and Bill Gates. It even has a Chinese name "莫國防"(traditional characters) or "莫国防" (simplified characters), pronounced mò guó fáng, each character roughly meaning "there is no", "national", and "defense" respectively.

It shares some similarities to the Netop AKA Leto virus, also from China and has a similar background to the Linux Lion worm. Similar patriotic messages were displayed by the KillDpt virus.

Sources

sunwear. 利用NTLDR进入RING0的方法及MGF病毒技术分析. 17-JUN-2009

Robert X. Wang. Symantec Security Response, W32.Mafeg Summary. 13-FEB-2007

-. -, W32.Mafeg Technical Details. 13-FEB-2007

-. -, W32.Mafeg.B Summary. 13-FEB-2007

-. -, W32.Mafeg.B Technical Details. 13-FEB-2007

VSAntivirus , W32/Mafeg.A. Infecta archivos PE y se propaga por redes. 22-OCT-2002

Baidu, Win32.MGF.b.

-, 莫國防.

莫国防”病毒(win32.mgf)的源程序.

Baidu, 莫国防II.

是炫耀技术?两国产病毒攻破微软NT系统底层 01-MAY-2015

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License