Vanagon EuroVan
Previous messageNext messagePrevious in topicNext in topicPrevious by same authorNext by same authorPrevious page (December 2001, week 3)Back to main VANAGON pageJoin or leave VANAGON (or change settings)ReplyPost a new messageSearchProportional fontNon-proportional font
Date:         Wed, 19 Dec 2001 08:30:40 -0500
Reply-To:     David Beierl <dbeierl@ATTGLOBAL.NET>
Sender:       Vanagon Mailing List <vanagon@gerry.vanagon.com>
From:         David Beierl <dbeierl@ATTGLOBAL.NET>
Subject:      DANGER was: Re: Checking for: Sound Blaster.
Content-Type: text/plain; charset="us-ascii"; format=flowed

John, you have caught a bad cold verging on AIDS-- this message was an attempt to send W32.Magistr.39921@mm to the list (I know because I got a copy privately as well). DO NOT SHUT OFF YOUR SYSTEM but do disconnect it from the net while you digest the following. Note that rebooting while still infected will likely cause the machine to stop booting. Not also that the worm installs a Trojan horse program so that others can operate your system remotely:

david

http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html

Damage:

* Payload: * Large scale e-mailing: Uses email addresses from the Windows and Eudora Address Book files, Outlook Express Sent Items folder, and Netscape Sent Items files. * Causes system instability: Overwrites hard drives, erases CMOS, flashes the BIOS. * Releases confidential info: It could send confidential Microsoft Word documents to others.

Distribution:

* Subject of email: Randomly generated text that can be up to 60 characters long. * Name of attachment: One randomly named infected executable and several randomly selected text or document files * Target of infection: All Windows PE files that are not .dll files.

Technical description:

Here is a list of the additional features and behavioral differences between W32.Magistr.39921@mm and W32.Magistr.24876@mm:

* Aware of Eudora address books (listed in Eudora.ini.) * Deletes *.ntz while searching for files. * Attempts to disable ZoneAlarm's user interface (this does not disable the ZoneAlarm firewall functionality). * Adds an enty to the Shell=explore.exe line in the Boot section of System.ini, calling the W32.Magistr.Trojan. * Searches for more Windows folders (Winnt, Windows, Win95, Win98, Winme, Win2000, Win2k, Winxp.) * Emails an attachment that has a random extension (.exe, .bat, .pif, or .com.) * Occasionally attaches .gifs to emails. * The payload overwrites Ntldr.exe and Win.com on all drives with code that causes it to store garbage data in the first sector of the first IDE hard drive.

Removal instructions:

To remove W32.Magistr.39921@mm and the Trojan that it drops, run NAV and delete any infected files. Then remove the W32.Magistr.Trojan entry in the Shell= line of System.ini.

To remove W32.Magistr.39921@mm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and run a full system scan. Be sure that NAV is configured to scan all files. 3. Delete all files that are detected as W32.Magistr.39921@mm. If necessary, restore any W32.Magistr.39921@mm infected files from a clean backup.

NOTE: Files detected as W32.Magistr.Trojan must be restored from backup copies or extracted from the original installation CD. (These are the system files Ntldr.exe and Win.com.) Your system will not function properly without them. For information on how to do this, refer to your Windows documentation, or to one of the following documents: * How to extract files in Windows 98 and Windows Me. * How to extract files using Windows 2000 or Windows NT 4.0.

Remove the W32.Magistr.Trojan entry from the System.ini:

1. During the scan with NAV, note the name of any files infected by W32.Magistr.Trojan. 2. Click Start, and click Run. 3. Type the following, and then click OK.

edit c:\windows\system.ini

The MS-DOS Editor opens.

NOTE: If Windows is installed in a different location, make the appropriate path substitution.

4. In the [boot] section of the file, look for the following entry

shell=Explorer.exe

5. Position the cursor immediately to the right of Explorer.exe. 6. Press Shift+End to select all of the text to the right of Explorer.exe and then press Delete. 7. Click File, and Exit. 8. Click Yes when you are prompted whether to save the changes.

NOTE: If you still have problems after following these removal instructions, follow the instructions in the Removal section of W32.Magistr.24876@mm

<http://www.symantec.com/avcenter/graphics/black.gif>

David Beierl - Providence, RI http://pws.prserv.net/synergy/Vanagon/ '84 Westy "Dutiful Passage" '85 GL "Poor Relation"


Back to: Top of message | Previous page | Main VANAGON page

Please note - During the past 17 years of operation, several gigabytes of Vanagon mail messages have been archived. Searching the entire collection will take up to five minutes to complete. Please be patient!


Return to the archives @ gerry.vanagon.com


The vanagon mailing list archives are copyright (c) 1994-2011, and may not be reproduced without the express written permission of the list administrators. Posting messages to this mailing list grants a license to the mailing list administrators to reproduce the message in a compilation, either printed or electronic. All compilations will be not-for-profit, with any excess proceeds going to the Vanagon mailing list.

Any profits from list compilations go exclusively towards the management and operation of the Vanagon mailing list and vanagon mailing list web site.