Magistr
Magistr
Type File virus
Creator The Judges Disemboweler
Date Discovered 2001.03.13
Place of Origin Malmö, Sweden
Source Language Assembly
Platform MS Windows
File Type(s) .exe
Infection Length 24,876 bytes
Reported Costs

Magistr, occasionally called Disemboweler, is a dangerous virus with worm-like capabilities. It spreads to other computers through email as well as infects files. In addition, Magistr has a very dangerous payload that deletes files, and destroys the the BIOS chip. It is comparable to some other potentially very dangerous viruses, such as CIH and Kriz. It also shares some features of the Dengue and Shoerec viruses.

Behavior

When a file infected with Magistr is executed, it tries to load itself into memory by patching the Explorer.exe process with a 110-byte routine that loads the rest of the virus into Explorer's memory. The TranslateMessage function is hooked to point to that code. It operates in memory as a thread of the Explorer process. After completing this part of the infection, the worm sleeps for three minutes.

Magistr then finds the name of the infected computer and converts it to a base 64 string. Depending on the first letter of this string, it creates a file in the windows folder the program files folder or the root of the hard drive. This file will contain information that includes the location of the addressbooks and the date of infection.

It obtains the the current user's email address. It checks the registry for Outlook, Exchange, Internet Mail, and News then the Prefs.js file for Netscape. It adds this to a list of the ten most recent email addresses it has infected.

Magistr checks for an active Internet connection and if there is one, begins constructing an email to send an infected file. It searches the system for .doc and .txt files and will use random text from one of these to construct the sender line and body of the email it will send itself in. There is a 20% chance that Magistr will attach the file it chooses to the email. Some reports say it can send up to six files. It searches for up to 20 .exe and .scr files smaller than 128 kilobytes and infects one of them. The infected file will be attached to the email.

After the mail has been sent, Magistr searches for 20 .exe and .scr files on the local system and over the network and infects one of them. If the Windows folder is named Winnt, Win95, Win98 or Windows, there is a 25% chance it will move the infected file into that folder and make a small change to the filename, and add a "run=" line (this is the old equivalent to the Run registry keys) to the Win.ini file with the name and path of the infected file added to it. In all other cases, it adds the file name of the infected file (without extension) as a subkey to the local machine run key and the full name and path of the file to this subkey.

File Infection

At the entry point of the infected file, there will be 512 bytes of garbage code that transfers control of the program to the virus. Magistr encrypts its main code with polymorphic engine and appends itself to the file. An infected file will not run after being infected, so the user will not notice from a program randomly starting every time the computer starts.

Payload

Magistr.gif
Magistr's vulgar message

After the computer has been infected for a month, 100 emails have been sent with the virus and three files on the system are found to contain text related to criminal trials, Magistr activates its payload. It deletes the infected file. It overwrites every 25th text file it finds on the system with "YOUARESHIT" as many times as will fit in each file. The virus also displays a vulgar message.

Magistr's payload can also render a system inoperable. It deletes every other file on the system. The virus overwrites a sector of the first hard disk on an infinite loop. On Windows 9x systems it erases the CMOS and BIOS. This will make the computer unbootable.

If the virus has been on the system two months (and assuming the system still works), on odd days, it will reposition desktop icons when the mouse hovers over them, making it appear as if they are running away (similar to Shoerec. If the system has been infected for three months and still works, the infected file is deleted.

If a debugger is found on the system at any time, Magistr will crash the computer.

Variants

There is at least one known variant. When infecting over a network, Magistr.B registers itself in WIN.INI and SYSTEM.INI files on the target system. In WIN.INI, it registers itself in "Run=" in the Windows section. In SYSTEM.INI, it registers itself in "Shell=" in the boot section. When infecting a file, this variant encrypts itself with a key that uses the computer's name as a variable, making disinfection of these file more difficult. It does not encrypt files smaller than 131 kilobytes or files infected on a remote computer.

In addition to the other names for the Windows folder, Magistr.B checks for new names, including WINME, WIN2000, WIN2K and WINXP. Like the original, it can send a .doc file along with the copy of itself, but it can also attach a .gif image file to its email.

This variant's payload adds the ability to destroy .ntz files used by some antivirus programs. Magistr.B also attempts to disable the ZoneAlarm firewall. It fails at this and it is unknown if this failure is corrected in a subsequent variant. The variant also overwrites Win.com in the Windows folder and NTLDR in the root of drive C: with code that overwrites the hard drive when the system starts.

Effects

Magistr is often used as an example of why very destructive viruses and worms do not spread very far. In addition, the virus gives so many warning signs that the user almost always knows something is wrong before it can do real damage. One security researcher claimed he only saw one incident where the virus managed to do all of the things it was intended to do and attributed this low number to the fact that there were so many annoyances. He did not explain what happened with that one incident that the user allowed the infection to get so bad.

Origin

Magistr was coded in Assembly though its size of near 30 kilobytes makes it large for something written in Assembly, however understandable given its capabilities. Its coder is The Judges Disembowler, based in Sweden. Little is known about The Judges Disembowler, even if this is a person or a group. She/He/They have not released anything with any notable impact since. Because of the sophistication of this virus, particularly its payload, she/he/they are believed to have relatively advanced knowledge of computers.

Sources

Peter Ferrie. Symantec, W32.Magistr.24876@mm. 2007.02.13

F-Secure, Worm:W32/Magistr.

Tom Mainelli. PCWorld (through Network World), Magistr Worm Emerges, Scarce But Deadly. 2001.03.16

Andrew Grygus. Automation Access, Microsoft Hides Behind Linux - as Worms Eat Windows, Why It's Going to Get a Lot Worse. 2003.08.23-09.10

Kaspersky Lab, Magistr: A Recipe Of Blending Virus and Worm with Some Multilevel Polymorphism Flavour. 2001.03.14

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License