Update on the virus (originating with Max Louwerse)

Sat Dec 22 22:39:20 UTC 2001

Dear list members:

Here below is a message that Max Lowerse submitted to the list.  [Thanks to
the Max!!]

It happens that because of the way I responded to the virus, for a few hours
the list was not passing messages onward to you.  (That has now been put
back as it was before.)  So I got this message for my approval.  Because of
technical factors, I cannot just send it on.  So here it is, with my
apologies to Max for the delays.

Read it for as much detail as you want about this matter.  I trust Max very
thoroughly on this, and so I suggest that you trust the message below as
well.

Again, sorry for all of this trouble.

Bill Mann

----- Original Message -----
From: "Max Louwerse" <mlouwers at memphis.edu>
To: "'William Mann'" <bill_mann at SIL.ORG>;
<RSTLIST at LISTSERV.LINGUISTLIST.ORG>
Sent: Saturday, December 22, 2001 1:57 PM
Subject: RE: [RST-LIST] Update on the virus

> Dear all,
>
> Norton Anti-Virus picked up two messages with a virus both from Keiko
> Nonaka [knonaka at KUS.HOKKYODAI.AC.JP]. This person has NOT sent this
> virus on purpose. Instead, everybody in his/her address book will be
> sent a random file sample from the infected computer, with the virus as
> an attachment. In this case, the attachment files are INFUNIST.EXE and
> IBM.SCR.
>
> Delete both files and the problem is solved. Also, make sure you have a
> recent anti-virus program.
>
> Norton's information about the virus
> (http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.248
> 76 at mm.html) is printed below.
>
> Cheers,
> Max.
>
>
> W32.Magistr.24876 at mm is a virus that has email worm capability. It is
> also network aware. It infects Windows Portable Executable (PE) files,
> with the exception of .dll system files. It sends email messages to
> addresses that it gathers from the Outlook/Outlook Express mail folders
> (.dbx, .mbx), the sent items file from Netscape, and Windows address
> books (.wab), which are used by mail clients such as Microsoft Outlook
> and Microsoft Outlook Express. The email message may have up to two
> attachments, and it has a randomly generated subject line and message
> body.
>
> NOTE: In many cases this virus will "touch" files and send them out as
> email attachments. Such files do not contain viral code and should be
> considered clean. In such cases it is safe to delete the file, and it
> would be prudent to inform the sender that his or her system has been
> infected by the virus.
>
>
> Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr at mm,
> W32.Magistr.24876.int, W32/Disemboweler, W32.Magistr.corrupt,
> W32/Magistr-A
>
> Type: Virus, Worm
>
> Infection Length: varies
>
> Virus Definitions: March 13, 2001
>
> Threat Assessment:
>
>
> Wild:
> Medium  Damage:
> High  Distribution:
> High
>
>
> Wild:
>
> Number of infections: More than 1000
> Number of sites: More than 10
> Geographical distribution: Medium
> Threat containment: Moderate
> Removal: Moderate
> Damage:
>
> Payload:
> Large scale e-mailing: Uses email addresses from the Windows Address
> Book files and Outlook Express Sent Items folder.
> Causes system instability: Overwrites hard drives, erases CMOS, flashes
> the BIOS.
> Releases confidential info: It could send confidential Microsoft Word
> documents to others.
> Distribution:
>
> Subject of email: Randomly generated text that can be up to 60
> characters long.
> Name of attachment: One randomly named infected executable and several
> randomly selected text or document files
> Target of infection: All Windows PE files that are not .dll files.
>
> Technical description:
>
> When a file that is infected by W32.Magistr.24876 at mm is executed, it
> searches in memory for a readable, writable, initialized area inside the
> memory space of Explorer.exe. If it finds one, a 110-byte routine is
> inserted into that area and the TranslateMessage function is hooked to
> point to that routine. This code first appeared in W32.Dengue.
>
> When the inserted code gains control, a thread is created and the
> original TranslateMessage function is called. The thread waits for three
> minutes before activating. Then the virus obtains the name of the
> computer, converts it to a base64 string, and depending on the first
> character of the name, creates a file in either the \Windows folder, the
> \Program Files folder, or the root folder. This file contains certain
> information, such as the location of the email address books and the
> date of initial infection. The virus then retrieves the current user's
> email name and address information from the registry (for Outlook,
> Exchange, and Internet Mail and News), or the Prefs.js file (for
> Netscape). The virus keeps in its body a history of the 10 most recently
> infected users, and these names are visible in infected files when the
> virus is decrypted. Next the virus searches for the Sent file in the
> Netscape folder, and for .wab, .mbx, and .dbx files in the \Windows and
> \Program Files folders.
>
> If an active Internet connection exists, the virus searches for up to
> five .doc and .txt files and chooses a random number of words from one
> of these files. These words are used to construct the subject and
> message body of the email message. Then the virus searches for up to 20
> .exe and .scr files smaller than 128 KB, infects one of these files,
> attaches the infected file to the new message, and sends this message to
> up to 100 people from the address books. In addition there is a
> 20-percent chance that it will attach the file from which the subject
> and message body was taken, and an 80-percent chance that it will add
> the number 1 to the second character of the sender address. This last
> change prevents replies from being returned to you and possibly alerting
> you to the infection.
>
> After the mailing is complete, the virus searches for up to 20 .exe and
> .scr files, and infects one of these files. Then if the Windows
> directory is named one of the following:
>
> Winnt
> Win95
> Win98
> Windows
> there is a 25-percent chance that the virus will move the infected file
> into the \Windows folder and alter the file name slightly. Once the file
> is moved, a run= line is added to the Win.ini file to run the virus
> whenever the computer is started. In the other 75 percent of cases, the
> virus creates a registry subkey in
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\
> Windows\CurrentVersion\Run
>
> The name of this subkey is the name of the file without a suffix, and
> the value is the complete file name of the infected file. The virus then
> searches all local hard drives and all shared folders on the network for
> up to 20 .exe and .scr files to infect, and adds the run= line if the
> \Windows folder exists in that location.
>
> The virus will activate the first of its payloads if the computer has
> been infected for one month and at least 100 people have been sent an
> infected file, and if at least three files contain at least three
> examples from the following list:
>
> sentences you
> sentences him to
> sentence you to
> ordered to prison
> convict
> , judge
> circuit judge
> trial judge
> found guilty
> find him guilty
> affirmed
> judgment of conviction
> verdict
> guilty plea
> trial court
> trial chamber
> sufficiency of proof
> sufficiency of the evidence
> proceedings
> against the accused
> habeas corpus
> jugement
> condamn
> trouvons coupable
> a rembourse
> sous astreinte
> aux entiers depens
> aux depens
> ayant delibere
> le present arret
> vu l'arret
> conformement a la loi
> execution provisoire
> rdonn
> audience publique
> a fait constater
> cadre de la procedure
> magistrad
> apelante
> recurso de apelaci
> pena de arresto
> y condeno
> mando y firmo
> calidad de denunciante
> costas procesales
> diligencias previas
> antecedentes de hecho
> hechos probados
> sentencia
> comparecer
> juzgando
> dictando la presente
> los autos
> en autos
> denuncia presentada
>
> This payload is similar to that of W32.Kriz, and it does the following:
> Deletes the infected file
> Erases CMOS (Windows 9x/Me only)
> Erases the Flash BIOS (Windows 9x/Me only)
> Overwrites every 25th file with the text YOUARESHIT as many times as it
> will fit in the file
> Deletes every other file
> Displays the following message:
>
>
>
> Overwrites a sector of the first hard disk
>
> This payload is repeated infinitely.
>
> If the computer has been infected for two months, then on odd days the
> desktop icons are repositioned whenever the mouse pointer approaches,
> giving the impression that the icons are "running away" from the mouse:
>
>
>
> If the computer has been infected for three months, then the infected
> file is deleted.
>
> For files that are infected by W32.Magistr.24876 at mm, the entry point
> address remains the same, but up to 512 bytes of garbage code is placed
> at that location. This garbage code transfers control to the last
> section. A polymorphic encrypted body is appended to the last section.
> The virus is hostile to debuggers and will crash the computer if a
> debugger is found.
>
> NOTE: If a file is detected as W32.Magistr.corrupt, this indicates that
> the file was damaged by the virus and cannot be repaired.
>
>
> Removal instructions:
>
> To remove this worm, repair files detected as W32.Magistr.24876 at mm, and
> reverse the changes it made to the Window's registry or the Win.ini
> file.
>
> To remove the worm:
>
> 1. Run LiveUpdate to make sure that you have the most recent virus
> definitions.
> 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
> scan all files. For instructions on how to do this, read the document
> How to configure Norton AntiVirus to scan all files.
> 3. Run a full system scan.
> 4. If any files are detected as infected by W32.Magistr.24876 at mm, write
> down the file names and then click Repair.
>
> To edit the registry:
> There is a 75-percent chance that the worm has added a value to the
> registry. Follow the instructions in this section first. If you do not
> find a value that was added by the worm, go on to the next section.
>
> CAUTION: We strongly recommend that you back up the system registry
> before you make any changes. Incorrect changes to the registry could
> result in permanent data loss or corrupted files. Please make sure that
> you modify only the keys that are specified. Please see the document How
> to back up the Windows registry before proceeding. This document is
> available from the Symantec Fax-on-Demand system. In the U.S. and
> Canada, call (541) 984-2490, select option 2, and then request document
> 927002.
>
> 1. Click Start, and click Run. The Run dialog box appears.
> 2. Type regedit and then click OK. The Registry Editor opens.
> 3. Navigate to the key
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\
> Windows\CurrentVersion\Run
>
> 4. In the right pane, delete the value that refers to a file that was
> detected as infected by W32.Magistr.23876 at mm.
>
> To edit the Win.ini file:
> 1. Click Start, and click Run.
> 2. Type the following, and then click OK.
>
> edit c:\windows\win.ini
>
> The MS-DOS Editor opens.
>
> NOTE: If Windows is installed in a different location, make the
> appropriate path substitution.
>
> 3. In the [windows] section of the file, look for the line that begins
> with
>
> run=
>
> 4. To the right of the equal (=) sign, look for text that refers to a
> file that was detected as infected by W32.Magistr.23876 at mm.
> 5. Delete this text.
> 6. Click File, and click Save.
> 7. Exit the MS-DOS Editor.
>
> NOTE: This virus contains bugs which will corrupt some files while
> attempting to infect them, as well as when the first payload activates.
> These files cannot be repaired; they must be restored from a backup.
> (These files may be detected as W32.Magistr.corrupt.)
>
>
> Additional information:
>
> What are Portable Executable (PE) files?
> PE files are files that are portable across all Microsoft 32-bit
> operating systems. The same PE format executable can be executed on any
> version of Windows 95, 98, Me, NT, and 2000. Therefore, all PE files are
> executable, but not all executable files are portable.
>
> A good example of a Portable Executable file is a screen saver (.scr)
> file.
>
>
>
>
>
> Write-up by: Peter Ferrie
> ________________________________________
> Max Louwerse
>  Department of Psychology
>  University of Memphis
>  Psychology Building
>  Memphis TN 38152
>  USA
>
>  phone: (901) 678-2143
>  fax:   (901) 678-2579
>
>  email: mlouwers at memphis.edu / max at mail.psyc.memphis.edu
>
>  http://www.psyc.memphis.edu/faculty/louwerse
> ________________________________________
>
>