Magistr
Magistr
Type File virus
Creator The Judges Disemboweler
Date Discovered 13-MAR-2001
Place of Origin Malmö, Sweden
Source Language Assembly
Platform MS Windows
File Type(s) .exe
Infection Length 24,876 bytes
Reported Costs

Magistr, occasionally called Disemboweler, is an email worm. It targets users of the law profession (Thus, the name of the virus) and spreads to other computers through email as well as infects files. In addition, Magistr has a very dangerous payload that deletes files, and destroys the the BIOS chip. It is comparable to some other potentially very dangerous viruses, such as CIH and Kriz. It also shares some features of the Dengue and Shoerec viruses.

Behavior

File Infection

When a file infected with Magistr is executed, it tries to load itself into memory by patching the Explorer.exe process with a 110-byte routine that loads the rest of the virus into Explorer's memory. The TranslateMessage function is hooked to point to that code. It operates in memory as a thread of the Explorer process. After completing this part of the infection, the worm sleeps for three minutes.

Magistr then finds the name of the infected computer and converts it to a base 64 string. Depending on the first letter of this string, it creates a file in the windows folder the program files folder or the root of the hard drive. This file will contain information that includes the location of the address books and the date of infection. At the entry point of the infected file, there will be 512 bytes of garbage code that transfers control of the program to the virus. Magistr encrypts its main code with polymorphic engine and appends itself to the file. An infected file will not run after being infected, so the user will not notice from a program randomly starting every time the computer starts.

Spreading

It obtains the the current user's email address. It checks the registry for Outlook, Exchange, Internet Mail, and News then the Prefs.js file for Netscape. It adds this to a list of the ten most recent email addresses it has infected. Magistr has an 80% chance of incrementing the second letter of the user's email address (Ex. moc.etisbew|elpmaxe#moc.etisbew|elpmaxe -> moc.etisbew|elpmaye#moc.etisbew|elpmaye) in order to prevent dead email addresses or replies from other users from alerting infected users to the virus.

Magistr checks for an active Internet connection and if there is one, begins constructing an email to send an infected file. It searches the system for .doc and .txt files and will use random text from one of these to construct the sender line and body of the email it will send itself in. It also searches for up to 20 .exe and .scr files smaller than 128 kilobytes and infects one of them. The infected file will be attached to the email. Some reports say it can send up to six files.

There is a 20% chance that Magistr will also attach the .doc or .txt file it used to create the sender line and body from to the email, which may lead to the leak of sensitive information if the text document is meant to be confidential.

If the Windows folder is named Winnt, Win95, Win98 or Windows, there is a 25% chance it will move the infected file into that folder and make a small change to the filename, and add a "run=" line (this is the old equivalent to the Run registry keys) to the Win.ini file with the name and path of the infected file added to it. In all other cases, it adds the file name of the infected file (without extension) as a subkey to the local machine run key and the full name and path of the file to this subkey.

Payload

Magistr activates its payload after the computer has been infected for a month, 100 emails have been sent with the virus and three text documents on the system are found to contain at least three specific phrases per document. These phrases are related to criminal trials in English, French, and Spanish:

 An explaination of the Magistr Virus (danooct1)
* sentences you
* sentences him to
* sentence you to
* ordered to prison
* convict
* , judge
* circuit judge
* trial judge
* found guilty
* find him gulity
* affirmed
* judgement of conviction
* verdict
* guilty plea
* trial court
* trial chamber
* sufficiency of proof
* sufficiency of the evidence
* proceedings
* habeas corpus
* judgement
* condamn
* trouvons coupable
* a rembourse
* sous astreinte
* aux entiers depens
* aux depens
* ayant delibere
* le present arret
* vu l'arret
* conformement a la loi
* execution provisoire
* rdonn
* audience publique
* cadre de la procedure
* magistrad
* apelante
* recurso de apelaci
* pena de arresto
* mando y firmo
* calidad de denunciante
* costas procesales
* diligencias previas
* antecedentes de hecho
* hechos probados
* sentencia
* comparecer
* juzgando
* dictando la presente
* los autos
* en autos
* denucia presentada

However, if one of these requirements are not met when the computer is first infected, then the virus goes dormant infinitely.

When its payload is activated, Magistr deletes any infected files. It overwrites every 25th file it finds on the system with "YOUARESHIT" as many times as will fit in each file. The virus also displays a vulgar message.

Magistr.gif
Magistr's vulgar message

Magistr's payload can also render a system inoperable. It deletes every other file on the system. The virus overwrites a sector of the first hard disk on an infinite loop. On Windows 9x systems it erases the CMOS and BIOS. This will make the computer unbootable.

If the virus has been on the system two months (and assuming the system still works), on odd days, it will reposition desktop icons when the mouse hovers over them, making it appear as if they are running away (similar to Shoerec). If the system has been infected for three months and still works, the infected file is deleted.

If a debugger is found on the system at any time, Magistr will crash the computer.

Variants

There is at least one known variant. When infecting over a network, Magistr.B registers itself in WIN.INI and SYSTEM.INI files on the target system. In WIN.INI, it registers itself in "Run=" in the Windows section. In SYSTEM.INI, it registers itself in "Shell=" in the boot section. When infecting a file, this variant encrypts itself with a key that uses the computer's name as a variable, making disinfection of these file more difficult. It does not encrypt files smaller than 131 kilobytes or files infected on a remote computer.

In addition to the other names for the Windows folder, Magistr.B checks for new names, including WINME, WIN2000, WIN2K and WINXP. Like the original, it can send a .doc file along with the copy of itself, but it can also attach a .gif image file to its email.

This variant's payload adds the ability to destroy .ntz files used by some antivirus programs. Magistr.B also attempts to disable the ZoneAlarm firewall. It fails at this and it is unknown if this failure is corrected in a subsequent variant. The variant also overwrites Win.com in the Windows folder and NTLDR in the root of drive C: with code that overwrites the hard drive when the system starts.

Effects

Magistr is often used as an example of why very destructive viruses and worms do not spread very far. In addition, the virus gives so many warning signs that the user almost always knows something is wrong before it can do real damage. One security researcher claimed he only saw one incident where the virus managed to do all of the things it was intended to do and attributed this low number to the fact that there were so many annoyances. He did not explain what happened with that one incident that the user allowed the infection to get so bad.

Name and Origin

Magistr is named as a contraction for the word "magistrate" (a type of judge), as the virus targets law firms and courts. Ironically, its coder is The Judges Disembowler, based in Sweden. Little is known about The Judges Disembowler, even if this is a person or a group. They have not released anything with any notable impact since. Because of the sophistication of this virus, particularly its payload, they are believed to have relatively advanced knowledge of computers.

Magistr was coded in Assembly though its size of near 30 kilobytes makes it large for something written in Assembly, however understandable given its capabilities.

Sources

Peter Ferrie. Symantec, W32.Magistr.24876@mm. 2007.02.13

F-Secure, Worm:W32/Magistr.

Tom Mainelli. PCWorld (through Network World), Magistr Worm Emerges, Scarce But Deadly. 2001.03.16

Andrew Grygus. Automation Access, Microsoft Hides Behind Linux - as Worms Eat Windows, Why It's Going to Get a Lot Worse. 2003.08.23-09.10

Kaspersky Lab, Magistr: A Recipe Of Blending Virus and Worm with Some Multilevel Polymorphism Flavour. 2001.03.14

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License